Hackers have taken the social insurance numbers of approximately 900 Canadians from Canada Revenue Agency computers, the tax agency says.

The attack on the government computers came while they were vulnerable to the Heartbleed bug, the CRA reported on Monday.

It also highlights a growing problem of how to keep personal information safe in the digital age. Experts say that identity thieves can use a stolen social insurance number, date of birth and an address to apply for a credit card, access bank accounts, redirect mail or create phony documents — often without being detected for months — leaving victims with the bills.

MORE ON THESTAR.COM

CRA’s online services resume following Heartbleed scare

Reports that NSA knew about Heartbleed Bug unleash fresh worries

Heartbleed bug ‘a critical vulnerability’ for Internet security

Ontario’s privacy commissioner, Ann Cavoukian, expressed concern that 900 Canadian taxpayers had their social insurance numbers compromised.

“This is an agency that we are required by law to give our information to,” Cavoukian said Monday at Queen’s Park.

A spokesperson for the CRA said the agency will send out registered letters to Canadians affected by the security breach.

A dedicated 1-800 number will be included in the registered letter, spokesperson Philippe Brideau said.

Brideau said he didn’t know when the letters would be sent out, except to say it would be “as soon as possible. I don’t have an estimated time of arrival.”

CRA commissioner Andrew Treusch said the agency will not be calling or emailing individuals to inform them they have been affected because “we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes

The registered letters will also include information for those affected on “what steps to take to protect the integrity of their SIN,” Treusch said in a press release.

CRA is doing the right thing, John Russo, chief privacy officer at Equifax Canada, said in an interview.

“They are being very accountable as an organization. They’re letting the regulators know and letting consumers know what transpired. They’re taking steps to rectify any loss or identity theft.”

There was no description of whose SIN numbers were removed from the CRA systems.

The tax agency began on Monday to “support and protect” Canadians who are affected by the security breach, Treusch said.

Loading... Loading... Loading... Loading... Loading... Loading...

The agency says everyone affected will receive free access to credit protection services.

The federal tax agency blocked public access to its online services for several days last week until it put in place measures to address the security risk, but says there was nonetheless a data breach over a six-hour period.

“We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed,” Treusch said.

The Heartbleed bug is caused by a flaw in OpenSSL software, commonly used on the Internet to provide security and privacy.

The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.

“The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls,” the agency said on Monday.

Cpl. Lucy Shorey, of the RCMP in Ottawa, declined to comment on the number of officers assigned to the case or their qualifications or how long the investigation might take.

“We don’t normally get into that,” she said. “Everything is kind of unique and we wouldn’t speculate on that.”

With files from Robert Benzie and Star wire services

Read more about: