Monday, April 14, 2014

Heartbleed...first security breach confirmed

I've been saying all along that it's only a matter of time before web administrators report back that user data had been compromised as a result of the Heartbleed bug.

Simply put, Heartbleed left the front door unlocked. We weren't sure, however, if anyone had walked in the door and taken anything.

Now we know. The Canada Revenue Agency today confirmed that approximately 900 Social Insurance Numbers belonging to Canadian taxpayers were breached during a six-hour period. The agency continues to investigate if additional data was compromised, as well. Full statement here.

What does it mean? This is the first of many such announcements. When two-thirds of the world's web servers are affected by a weakness like this, the mathematics make it virtually inevitable that more breaches will be reported in the days and weeks to come. Because hackers never met a weakness they couldn't try to exploit.

Human nature, I guess.

More to come...

Updates;
  • I spoke with CTV News Channels Jacqueline Milczarek at 9 a.m. Video here.
  • Frances Horodelski interviewed me for her show, Business Day, on BNN.
  • Chatted live with CP24's Karman Wong.
  • Spoke with Sun News Network's Pat Bolland and Gina Phillips.
  • Interviewed by CBC News Network's Reshmi Nair.
  • Spoke with Russ Courtney from NewsTalk 1010 Toronto, Al Coombs from 1290 CJBK London, Trudie Mason and Aaron Rand from Montreal's CJAD 800, Dean Recksiedler from News1130 in Vancouver, and Richard Cloutier from 680 CJOB in Winnipeg.
I'm percolating other snippets of coverage as we speak, and will add them here as the day plays out.

Additional perspectives to keep in mind:
  • We saw this coming and it was only a matter of time before the first Heartbleed-related breach was reported. This is a warning sign to all businesses that they'd better batten down the security hatches. We - companies, individuals, governments, etc. - just aren't spending enough on security-related tools, infrastructure, people and processes. And Heartbleed is the price we pay for this priority mismatch.
  • The CRA is reporting 900 SINs were compromised. Dollars to donuts that number grows in the days to come, and it won't be limited to SINs, either. It's like boiling the frog: start slow and gradually raise the temperature.

No comments: