Opposition decries government over secrecy on ‘Heartbleed’ bug
April 16th, 2014 - 1:01pm
By Jason Fekete, The Vancouver Sun
OTTAWA — The Canada Revenue Agency and RCMP are saying little about the security breach that led to the theft of taxpayer information from the CRA website, with the minister still declining to speak publicly and the Mounties saying they asked the government to withhold the release of information for investigative reasons.
The secrecy doesn’t impress the opposition or experts in crisis communication.
The RCMP said Tuesday they have a “viable” lead in the investigation and have identified suspects who may have maliciously targeted the CRA’s website, but won’t comment further on the “Heartbleed” computer bug and the 900 social insurance numbers swiped from the Canada Revenue Agency website.
National Revenue Minister Kerry-Lynne Findlay has refused to comment; her officials cite the ongoing RCMP investigation.
“From a crisis communication perspective, the response has been clumsy,” said Josh Greenberg, the associate director in the School of Journalism and Communication at Carleton University in Ottawa, who has studied government responses to past issues such as the tainted meat-listeriosis outbreak in 2008 and H1N1 flu pandemic in 2009. In both of those crises, government officials held regular public briefings.
“Given the source of the breach and the fact that it falls during the very busy and stressful tax-filing season, the revenue minister really should be the government’s public face on Heartbleed and doing more than simply issuing daily updates on the Revenue Agency’s website,” Greenberg said.
The CRA announced Monday that the social insurance numbers of approximately 900 Canadians were stolen from the agency’s website after its Internet software was compromised by the Heartbleed computer bug. The agency is sending letters to those people whose SINs have been stolen.
The CRA knew about the breach last Friday but only informed Canadians on Monday, sparking questions about why the government failed to notify the public sooner.
On Tuesday, the RCMP said it asked the CRA to wait over the weekend before notifying Canadians.
“This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigated further risk,” the police force said in a statement. “The RCMP appreciates the co-operation of CRA, and appreciates the understanding of Canadians in this matter.”
An RCMP spokesperson said the Mounties would not provide more details so as not to jeopardize their investigation. RCMP Cpl. Lucy Shorey would not say whether the Mounties were asked by the government to issue the news release.
The CRA shut down its online tax-filing services last Tuesday night (and announced it the next morning) because of security concerns about the Heartbleed bug, which affects OpenSSL software that provides security and privacy on many websites. The agency announced Sunday that its online systems had been fully restored, allowing Canadians to file their tax returns.
The NDP has written to the minister asking for an explanation ov why the CRA waited until Tuesday evening to shut down its web operations when news of the Heartbleed bug emerged on Monday. The government must also explain why the CRA could not provide the same level of online protection as banks, which have not been affected by the bug, the NDP says.
“Once again, under this government’s watch, the personal information of Canadians has been compromised,” says the letter to Findlay from New Democrat MPs Charlie Angus and Murray Rankin.
“As the CRA holds the personal financial information of millions of Canadian taxpayers and businesses, Canadians need to hear clear and direct answers on this serious breach.”