Heartbleed SIN breach suspect ID'd by RCMP

The Canada Revenue Agency was asked by the RCMP not to publicize the theft of 900 social insurance numbers so the Mounties could investigate - a tactic they say led to a "viable" lead over the weekend. Meanwhile, the NDP is asking questions about the government's response to the security breach.

Mounties say theft of 900 SINs kept under wraps due to investigation

Computer password (Shutterstock)

RCMP have identified a "possible offender" after the Canada Revenue Agency saw 900 social insurance numbers stolen in a web security breach due to the Heartbleed bug.

The Mounties said in a statement Tuesday that they asked the CRA not to tell the public Friday about the breach so they could look into a "viable" lead in their investigation.

But the NDP wants to know more about the government's decision to shut down the CRA website and whether it could have done more to avoid the security breach in the first place.

The CRA spent days patching a hole in its security that allowed hackers to steal information without leaving a trace. The Heartbleed bug affected servers around the world.

"This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigate further risk" the RCMP said.

The RCMP would not provide further details about the suspect.

The CRA temporarily shut down some access to its website late Tuesday last week after warnings that a security flaw in website encryption software — the Heartbleed bug — could leave websites vulnerable to hackers.

The shutdown was extended to other government websites later in the week.

NDP wants answers

The CRA said Monday that it realized on Friday that 900 social insurance numbers had been stolen during a six-hour attack that exploited the Heartbleed vulnerability. It did not indicate when the hour attack had occurred.

The agency notified the privacy commissioner's office Friday and referred the matter to the RCMP.

Fears of a bug in the OpenSSL software used for encryption on two-thirds of the world's internet servers surfaced more than a week ago. The U.S. Department of Homeland Security issued a public warning on April 7. Public Safety Canada issued a notice about the vulnerability the next day, and by the end of the day, CRA had closed parts of its website.

The NDP says there are troubling gaps in what the government has said about the matter to date.

"What's really disturbing is the lack of clarity on what CRA did when they found out about the Heartbleed bug," MP Charlie Angus told CBC News.

Angus and fellow NDP MP Murray Rankin wrote a letter Tuesday calling on Revenue Minister Kerry-Lynne Findlay to "reassure Canadians" by explaining:

  • Who notified the CRA of the Heartbleed bug.
  • When the CRA learned that the bug was in its system and whether precautionary checks were made when the world learned of the bug on April 7.
  • Why the CRA delayed shutting down web operations until Tuesday when news of Heartbleed was made public Monday.

The letter also notes that on the day the CRA website was shut down, the agency's assistant commissioner and chief privacy officer, Susan Gardner-Barclay, was telling MPs on a House of Commons committee that the agency's security systems were "one of, if not the strongest security regimes" in any government department, while making no mention of Heartbleed.

"The world was told on Monday that this backdoor was open. On Tuesday, CRA's top privacy experts were in Parliament saying we've got the best firewall systems anywhere, everything is fine.

"So what happened between the world being told and all the hackers being told that the Heartbleed bug was out there, and CRA taking action?" Angus said.

Gardner-Barclay told CBC News she didn't know of the Heartbleed bug when she appeared at the Commons committee early Tuesday afternoon.

The CRA restored public access to its site over the weekend and extended the tax filing deadline for Canadians to May 5.

with files from James Cudmore


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?