With news of the Heartbleed bug sending security and IT teams scrambling for solutions earlier this month, the issue of data security has been in the spotlight. Here in Canada, cybercriminals exploited the bug to attack our biggest collector of personal data on individuals, Revenue Canada.

Just last week, the Canada Revenue Agency reported a breach involving the theft of Social Insurance Numbers belonging to 900 taxpayers. The Agency said that the numbers were compromised through an exploit of the Heartbleed bug on April 8.

Catastrophic Bug

According to the Heartbleed.com website created by the Finnish cybersecurity company, Codenomicon, that named the bug and also created the bleeding heart logo, “bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.”

Industry experts have referred to the vulnerability as “catastrophic”, made even worse by the fact that theft of data from affected systems leaves no trace.

“‘Catastrophic’ is the right word,” wrote information security expert Bruce Schneier on his Schneier on Security blog. “On the scale of 1 to 10, this is an 11,” he wrote.

i-Sight (now Case IQ) Data is Safe

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Around half a million of the Internet's secure web servers were believed to be vulnerable to the attack, and those affected were advised to immediately change their passwords. Some security experts went as far as to advise people to simply stay off the internet for a few days.

i-Sight (now Case IQ)’s servers were among those spared by the bug so clients were not required to take any action. “The Heartbleed vulnerability only affects websites that rely on a certain version of open SSL,” says Jason Victor, Director of Technology at i-Sight (now Case IQ). “i-Sight (now Case IQ) doesn’t use open SSL for its web stack, so we were unaffected.”

Lessons from Heartbleed

A fixed version of OpenSSL was released on April 7, the same day the Heartbleed bug was reported to the public.

The Heartbleed.com website urged companies to learn from the incident. “For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.”

Even though the company’s servers were unaffected, the security team at i-Sight (now Case IQ) has also taken this incident as an opportunity to review procedures. “We take the security of our i-Sight (now Case IQ) clients’ data very seriously,” says Victor. “In fact, it’s one of our company’s greatest strengths. Our team members are continuously upgrading their expertise to ensure we are always operating at the cutting edge of data security procedures.”