Heartbleed: Security Bug compromises SIN Numbers, Personal Data

April 21, 2014

The Heartbleed Bug: by now it is a household name. Last week, the security bug made international headlines; the software that protects your passwords, banking information and other personal information shared on ‘secure’ websites was not very secure after all.

The bug could allow a hacker to access data stored by some banks, email providers, government organizations and businesses: user names, passwords, emails, business documents could all be accessed on their websites. The bug affects OpenSSL encryption, and most sites on the internet are using that to keep their and your data safe. How do you know if a website you’ve shared personal information with uses OpenSSL? Looking for the ’s’ at the end of https at the start of the address in a good indication.

By now, reliable organisations should have all fixed this bug and restored security to their sites. This didn’t come, however, before at least one major security breach took place in Canada.

The Canada Revenue Agency has been compromised. On April 14, the CRA confirmed that 900 Social Insurance Numbers were stolen from its online database. If your SIN has been stolen, the CRA says it will let you know by mail. Now, the RCMP has arrested a 19-year-old university student from London, Ont. in connection with the thefts. If your SIN was stolen, it can be used by a criminal to steal your identity (e.g. use your credit, get a driver’s license). The CRA says its written letter will explain everything you need to do, if your SIN was stolen. In the meantime, security experts are advising Canadians to keep an eye on their bank accounts to ensure no one is using them illegally.

Canada’s banks have all rallied to assure their customers there has been no security breach for them. The Canadian Bankers Association says our banks have the most secure systems in place for monitoring any potential illegal activity. TD Canada Trust, Royal Bank, BMO, Scotiabank and CIBC have all issued statements saying none of their customers’ banking information was stolen before the bug was fixed.

The full extent of possible security breaches on other sites isn’t known. The Heartbleed bug is easily fixed, but that fix doesn’t allow website operators to tell who accessed their (your) data while they were compromised.

What should you do now?

Visit the website of any online services you use and confirm they have fixed the Heartbleed bug in their system. Once you know this security threat is fixed, change your password. This will prevent a security breach now, if anyone got their hands on your personal information while the vulnerability was exposed.

If you’re not sure if a site you use is vulnerable to the Heartbleed bug, there is a tool you can use. Visit https://lastpass.com/heartbleed/ and type in the URL you’re worried about. Considering 2/3 of all websites use OpenSSL technology that may be vulnerable to the Heartbleed bug, it is a good idea to look into the security level of those businesses and organisations you share your personal data with.

Information security and privacy is our first priority at ComparaSave.com. Our customers’ account and private information remain secure and were not affected by the Heartbleed bug.