After news broke that 900 SINs were stolen from CRA as a result of the Heartbleed bug, CRA commissioner Andrew Treusch said the agency “share[s] the concern and dismay of those individuals whose privacy has been impacted by this malicious act.”
In his statement, he added, “CRA online services are safe and secure [and] CRA [has] responded aggressively to successfully protect our systems. We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards.”
In coming weeks, everyone affected will receive a registered letter and free access to credit protection services, says CRA.
As well, Treusch says, “A dedicated 1-800 number has also been set up to provide [people] with further information, including what steps to take to protect the integrity of their SIN.
“The agency won’t be calling or emailing individuals to inform them that they have been impacted [since] we want to ensure our communications are secure and [not] exploited by fraudsters through phishing schemes.”
Further, the statement says the privacy breach was reported to national officials, such as the Office of the Privacy Commissioner of Canada and RCMP, on April 11, 2014.
CRA’s also confirmed it won’t apply interest or penalties to individual taxpayers filing their 2013 tax returns after April 30 for a period equal to the length of the service interruption. The agency’s online services were up and running five days after problems were discovered.
Revenue Minister Kerry-Lynne Findlay says that means 2013 tax returns filed by May 5, 2014 won’t incur interest or penalties.
The CRA has apologized to Canadians for the delay and inconvenience, but added the shutdown was necessary to ensure the agency’s online services were safe and secure.
Service has also been restored to all publicly accessible Government of Canada websites, the Treasury Board said in a release.
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy. The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.
So, whether or not your clients were affected by the CRA breach, follow the below steps to help them protect their data.
1. Urge people to review all financial accounts and current statements. If they notice any extra charges or unfamiliar activity, they should phone their financial institutions to report them.
2. If clients don’t notice anything out of the ordinary, they should still phone their banks to put notes on their accounts. That way, they’ll be notified immediately of any problems or uncharacteristic charges (those placed out of the country and any unusually large purchases, for example).
3. If they don’t want to wait for a letter from CRA, your clients can phone Equifax to request credit protection services at a cost. Read more.
4. To protect online accounts, clients should change all passwords. For more information, read: Change your passwords, now.
5. Further, they should be wary of all suspicious phone calls, emails and email attachments. Since IT systems across the globe are currently at risk, scammers could try to bait people.
6. Finally, encourage people to keep a closer eye on their financial accounts and credit situations throughout the year. When information is stolen, thieves don’t often use it right away. As well, they could start with small, easily unnoticeable transactions.