OTTAWA – Two New Democrat MPs have written to the minister in charge of the Canada Revenue Agency asking her to explain what they say are discrepancies in the timeline of the Heartbleed security bug.
The NDP’s Charlie Angus and Murray Rankin put several questions to National Revenue Minister Kerry-Lynne Findlay about the CRA’s actions from the time the bug was first made public on Monday to when the agency shut down its website Tuesday evening.
They want to know who told the CRA about the bug, if any precautionary checks of the agency’s systems were made after the tech world learned about Heartbleed and why it took until Tuesday evening to shut down the tax website.
At least 900 social insurance numbers were compromised at some point.
Angus and Rankin say the CRA’s assistant commissioner and chief privacy officer made no mention of the bug during an appearance at a parliamentary committee around noon on Tuesday.
“What is troubling about this timeline is the obvious gap between the information being made public on Monday and the statements made by senior staff to Parliament on Tuesday while the system was still wide open for potential hacking,” the MPs wrote.
“Were the assistant commissioner and chief privacy officer being kept in the dark about the Heartbleed bug? Or did the CRA assume its firewall made it impervious to any potential hacking through the discovery of this door bug that was shaking up the tech world?”
Police say they asked the CRA to hold off on telling Canadians that 900 social insurance numbers had been taken.
The RCMP were notified of the security breach on Friday, but asked the agency to hold off making an immediate announcement about the data loss so they could pursue investigative leads.
Word of the Heartbleed security vulnerability prompted the agency to shut down its publicly accessible websites last week.
A number of other federal departments followed suit.
The government says it has solved the problem and the sites re-opened over the weekend.
But the revenue agency did not disclose the loss of data until Monday.
“The RCMP asked CRA to delay advising the public of the breach until Monday morning,” the Mounties said in a news release.
“This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigate further risk.”
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy. The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.
CRA said it will notify everyone involved in the security breach by registered letter and will offer access to credit protection services.
At least one Internet security expert has suggested that the data losses may go well beyond just 900 social insurance numbers.