Canada's tax-collection agency on Monday said the private information of about 900 people had been compromised as hackers exploited the "Heartbleed" bug, and security experts warned that more attacks are likely to follow.
The breach allowed hackers to extract social insurance numbers, which are used for employment and gaining access to government benefits, and possibly some other data, the Canada Revenue Agency said.
The agency appears to be the first to report that it is the victim of an attack exploiting a flaw in software known as OpenSSL, which is used on about two-thirds of websites to secure data as it travels across the Internet.
KACPER PEMPEL / Reuters
Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software.
Later on Monday, British parenting website Mumsnet, which claims more than 60 million monthly page views, said it had required all users to reset their passwords after a Heartbleed-related breach. It didn't say whether any information had been taken.
Internet companies, technology providers, businesses and government agencies have been scrambling to figure out whether their systems are vulnerable to attack since the flaw was disclosed a week ago. When researchers announced that they discovered the bug, they said they did not know whether anybody had exploited it to launch attacks, though it had been present in OpenSSL software for several years.
Andy Ellis, chief technology officer with Akamai Technologies Inc, said he was not surprised to hear about the attack on the Canadian agency because there are already several "tool kits" publicly available over the Internet that hackers can use to launch attacks on vulnerable websites.
"You should expect to start seeing the attacks this week," said Ellis. News of the attack in Canada came after authorities in Washington warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the bug.
The Canada Revenue Agency said in a statement posted on its website that government security authorities had warned it of the breach, which occurred over a six-hour period.
Police are investigating the attack on the agency while forensic experts try to ascertain whether other data had been taken, a task that will be complicated because security experts say they believe that the Heartbleed bug allows attackers to steal data without leaving a trace.
"We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," it said. The agency shut down access to its online services on Wednesday, in the heart of the annual tax season, because of the bug.
First published April 14 2014, 12:57 PM