The fallout from the Heartbleed bug could go far beyond just 900 social insurance numbers compromised at the Canada Revenue agency.
Alberta computer security expert John Zabiuk suspects there’s a wave of problems coming.
“Right now, we’re just seeing the tip of the iceberg,” he said. “This is probably the largest flaw that’s hit the Internet in history.”
Zabiuk is with the Northern Alberta Institute of Technology in Edmonton, where, as an ethical hacker, he teaches students to protect computer systems by approaching the problem from a hacker’s perspective.
The revenue agency says it’s analyzing data to determine what else might have been siphoned out. Zabiuk says officials are likely to discover a much bigger cache of information has been compromised.
“Realistically, with over two thirds of all servers compromised online with this vulnerability, we’re going to be seeing a lot more fallout from this,” he said.
The revenue agency said it suffered “a malicious breach of taxpayer data that occurred over a six-hour period.”
The problem is that the bug has been loose for two years, said Zabiuk.
“So what we’re seeing with the 900 users that they say have been affected or compromised — that’s just in the last two weeks that they’ve been keeping track of what’s going on with this,” he said.
“Prior to this, again it’s been out for over two years, so what’s gone on in that span of time?”
He said the government did the right thing when it learned of the security problem.
“I think the response is appropriate in taking down the servers that they knew were vulnerable,” he said. “It’s really the only way to protect the citizens and the people using those servers.”
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy. The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.
Zabiuk said the fix is simple. The problem is applying the patch to all of the hundreds or thousands of servers that may have been affected.
CRA said it will notify everyone involved in the security breach by registered letter and will offer access to credit protection services.
The Canadian government on the weekend restored service to all its publicly accessible websites as well the tax-filing systems E-file and Netfile.
The revenue agency said because the outage with its website lasted five days, it will effectively extend the tax filing deadline by that length of time. Returns filed by May 5 will not incur interest or penalties.
Andrew Treusch, commissioner of the agency, said he shares the concerns of those whose privacy has been violated.
The Privacy Commissioner has been notified of the security breach and the Mounties are investigating.