The malicious Heartbleed bug, which forced the Canada Revenue Agency to shut its website down last week, has claimed hundreds of social insurance numbers from taxpayers.
In a statement Monday, the CRA said it was notified by the government’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period.
“Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed,” commissioner Andrew Treusch said.
The agency said those affected will be contacted by registered mail only, and not by telephone or e-mail.
Free credit protection services will also be provided at no charge.