The Canada Revenue Agency is this week notifying 900 taxpayers who it believes had their social insurance numbers stolen as a result of the Heartbleed bug that has affected hundreds of prominent websites.
The tax agency shut down public access to its online services on Tuesday, April 8, after it discovered that the Heartbleed encryption vulnerability had affected people using the CRA's website.
The social insurance numbers were stolen over a six-hour period by someone exploiting the vulnerability in many supposedly secure websites that used an open-source encryption system.
The agency is sending registered letters to those taxpayers who are affected, rather than emailing because it doesn't want fraudsters to use phishing schemes to further exploit the privacy breach.
The CRA website was brought back online on Sunday, April 13 after the CRA patched and re-launched its online services, including the E-file and Netfile online income tax portals.
People who were not able to file their income tax last week because of the website shutdown have been given an extra week to make the tax deadline. CRA has extended the filing deadline to May 5, 2014 before penalties apply.
The Heartbleed bug – which had made websites vulnerable for up to two years before it was discovered last week – gave hackers access to passwords, credit card numbers and other information at many websites.
Websites that were vulnerable to the bug include Google, Facebook, YouTube, Pinterest, Netflix and Blogspot. Users of those websites are being asked to change their passwords.
The Better Business Bureau of East Kootenay is going one step forward and suggesting that consumers change their passwords on all sites they use, particularly those that retain personal identifying information.
The bureau is providing the following guidelines:
• Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you to verify who you are before you conduct business on that site.
• Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password. The bureau suggests choosing passwords that are phrases (for instance, ilovetofish) and making each letter O into a zero to make the password more complex. Look into password management software to help you keep track of really “long and strong” passwords.
• Unique account, unique password: Separate passwords for every account helps to thwart cyber criminals.
• Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer.
• Own your online presence: When available, set the privacy and security settings on websites to your comfort level for information sharing. It’s okay to limit how and with whom you share information.
For businesses, the bureau is recommending that they immediately check to see if their website uses the Open SSL program that has been hit by the Heartbleed bug. If a vulnerability exists, work with a computer professional to install a more secure SSL program on the website.
For more information and other consumer tips, visit bbb.org.
With files from Jeff Nagel, Black Press