Are there discrepancies in the CRA's Heartbleed timeline?

The official story of the CRA Heartbleed security breach might not be the real one

OTTAWA – “In order to reassure Canadians that your government is able to fully protect the vital private financial information of Canadian taxpayers, we are hoping you could explain apparent discrepancies in the timeline regarding this breach — i.e., the period between when you became aware of the bug, when you took action and the so-called six-hour window that allowed cyber thieves access to the internal workings of Canada Revenue Agency.”

— New Democrat MPs Charlie Angus and Murray Rankin, in a letter to National Revenue Minister Kerry-Lynne Findlay

Two New Democrat MPs have raised questions about the Canada Revenue Agency response to the Heartbleed security bug, which a 19-year-old hacker from London, Ont., allegedly exploited to steal the social insurance numbers of at least 900 people.

The NDP’s Charlie Angus and Murray Rankin have asked National Revenue Minister Kerry-Lynne Findlay to explain “apparent discrepancies in the timeline regarding this breach.”

The Canadian Press put Angus and Rankin’s words to the test to determine if there were, in fact, discrepancies in the timeline that has been provided by the CRA and the RCMP.

Spoiler alert: The Canadian Press Baloney Meter is a dispassionate examination of political statements that culminates in a ranking of accuracy. On a scale of “no baloney” to “full of baloney” (complete methodology below).

This one earns a rating of “a little baloney” — the statement is mostly accurate, but more information is required. Here’s why.

The Facts

The Canada Revenue Agency says it first learned of Heartbleed on April 7. The bug, which had gone undetected for two years, affects open-source software called OpenSSL that’s at the very core of millions of applications used to encrypt Internet communications.

It can reveal the contents of a computer server’s memory, including private data such as usernames, passwords and credit card numbers.

At 11 a.m. on April 8, two senior officials from the agency testified at a parliamentary committee, but made no mention of the bug.

Later that same day, the agency cut off public access to its online services.

At some point — the agency won’t say precisely when — there was a six-hour window in which someone exploited the bug and stole at least 900 social insurance numbers.

The agency will not say if the breach occurred between April 7 and 8 — from the time it first learned of the bug until it shut down access to its websites — or sometime prior to that when the bug was exploitable but undetected.

Sometime in the morning or early afternoon of April 11, the agency notified the RCMP and the federal privacy commissioner about the data breach. Late that afternoon, the Mounties asked the agency to wait until April 14 to tell the public about the stolen social insurance numbers.

The agency restored public access to all its online services on April 13. The next day, the agency released a statement about the stolen social insurance numbers.

On April 15, the RCMP revealed it has asked the CRA not to say anything about the data breach so it could continue its investigation. Some time that same day, Stephen Arthuro Solis-Reyes, 19, was arrested at his home in London, Ont., and his computer equipment was seized.

The Mounties charged Solis-Reyes on Wednesday.

The Unanswered Questions

While there don’t appear to be any obvious contradictions in the official timeline, as Angus and Rankin suggested, there certainly are a number of questions that the agency is not answering, namely:

  • When exactly did the data breach occur?
  • How does the CRA know whose social insurance numbers were stolen?
  • How do we know the CRA has identified all the stolen social insurance numbers?
  • Why didn’t senior CRA officials tell MPs at committee about Heartbleed? Did they not know about it at that time?
  • Why didn’t the CRA cut off public access to its online services as soon as it found out about Heartbleed, instead of waiting nearly a day?

Angus and Rankin have asked Findlay some of those questions.

The Experts

One Internet security expert says even though the six-hour window to steal data may seem like an eternity to a hacker, extracting information using the Heartbleed bug is actually relatively time-consuming.

“It’s certainly a significant amount of time,” said Mark Nunnikhoven, vice-president of cloud and emerging technologies at the software security firm Trend Micro.

“But because it’s a random response, it’s not necessarily that the attacker was able to specifically target and say, ‘Look, I want credit-card data, or only social insurance numbers.’ That would have made it much worse.”

Still, there’s a chance more social insurance numbers were stolen, Nunnikhoven said.

“My guess as a professional would be it’s likely there’s more, but the downside is we’ll probably never know,” he said. “The challenge here is that the bug has been in place since March of 2012. We only knew about it on the 7th of April, 2014.”

Nunnikhoven said he takes no issue with the Canada Revenue Agency’s timeline.

“It ends up being a security and a business decision, jointly, simply because of the impact to 36 million Canadians,” he said.

“You’re not talking about shutting down your personal website. You’re talking about shutting down the Canada Revenue Agency in the middle of tax season.

“There is a massive impact to the public. So it’s a decision you don’t want to take lightly, which is why I think 24 hours is pretty solid. And then to have things remediated and back up and running within a couple of days after that was very good.”

The Conclusions

So Angus and Rankin’s claim about “apparent discrepancies” in what the government has told the public about Heartbleed and the data breach may be a little strong. The Canadian Oxford Dictionary defines the word discrepancy as a “difference; failure to correspond; inconsistency.”

There don’t appear to be any inconsistencies in what the CRA has said publicly. Perhaps what Angus and Rankin really meant to say was that there are gaps or missing information? If so, they have a valid point.

The Verdict

While the CRA has not been forthcoming about some details of the breach, there do not appear to be any outright “discrepancies” in its timeline of events. For this reason, Angus and Rankin’s claim has a little baloney to it.

Looking for more?

Get the Best of Maclean's sent straight to your inbox. Sign up for news, commentary and analysis.