1he Pon. kerry-Lynne u.

llndlay
607 ConfederaLlon 8ulldlng
Pouse of Commons
CLLawa, Cn
k1A0A6
Aprll 13, 2014
MlnlsLer llndlay,
We wrlLe Lo you wlLh grave concerns concernlng Lhe breaches of lnformaLlon aL Lhe Canada 8evenue Agency
(C8A) due Lo Lhe vulnerablllLles caused by Lhe PearLbleed bug. Cnce agaln, under Lhls governmenL's waLch, Lhe
personal lnformaLlon of Canadlans has been compromlsed. 1he C8A ls reporLlng aL leasL 900 cases where
Canadlans had Lhelr personal lnformaLlon sLolen from lLs webslLe durlng Lhe alleged slx hour breach. ln order Lo
reassure Canadlans LhaL your governmenL ls able Lo fully proLecL Lhe vlLal prlvaLe flnanclal lnformaLlon of
Canadlan Laxpayers, we are hoplng you could explaln apparenL dlscrepancles ln Lhe Llmellne regardlng Lhls
breach - le. 1he perlod beLween when you became aware of Lhe bug, when you Look acLlon and Lhe so-called 6-
hour wlndow LhaL allowed cyber Lhleves access Lo Lhe lnLernal worklngs of Canada 8evenue Agency.
So leL's lay ouL whaL we know:
1. 1he exlsLence of Lhe PearLbleed bug was made publlc Monday Aprll 7
Lh
wlLh Lhe Cpen SSL SecurlLy Advlsory
posLed on Lhelr webslLe (hLLps://www.openssl.org/news/secadv_20140407.LxL).
2. Around noon on 1uesday Aprll 8
Lh
, Lhe C8A's AsslsLanL Commlssloner and Chlef rlvacy Cfflcer Mrs. Susan
Cardner-8arclay LesLlfled before Lhe SLandlng CommlLLee on Access Lo lnformaLlon, rlvacy and LLhlcs 1uesday
Aprll 8
Lh
Lelllng arllamenLarlans LhaL Lhe C8A's securlLy sysLems was one of, lf noL Lhe sLrongesL securlLy
reglmes (.) of any governmenL deparLmenL". Mrs. Cardner-8arclay descrlbed Lhe hlgh level Llered securlLy
sysLem:
!" $"%&"$ '(") *)%&+, *+&-(.+$ /%0%,% ")%" )%$ % 0123+& 45 $+.1&("6 2+.)%0($2$ %&410, ")+ 41"+& 7%6+&8
9)+ 0+:" 7%6+& ($ /;<=* 4'0 5(&+'%77> ')(.) ($ +:"&+2+76 $"&40?> %0, (0 ")+ -+&6 &%&+ (0$"%0.+$ ')+&+
$42+ @(0, 45 2%7'%&+ 2%6 ?+" A%$" ")%" 5(&+'%77> '+ )%-+ % $+.40, 5(&+'%77 ")%" %7$4 3410.+$ 3%.@ %06
@(0, 45 2%7(.(41$ $45"'%&+ 4& 2%7(.(41$ %""%.@.
no menLlon was made of Lhe PearLbleed bug.
3. LaLer LhaL evenlng, Lhe C8A's webslLe was shuL down as a resulL of concerns of Lhe PearLbleed bug. So
apparenLly, some Llme beLween Lhe Monday announcemenL and Lhe 1uesday nlghL shuL down, hackers declded
Lo LesL Lhe C8A's flrewall and were able Lo sLeal personal flnanclal lnformaLlon.
4. lrlday Aprll 11
Lh
Lhe Commlssloner of Lhe C8A noLlfled Lhe rlvacy Commlssloner aL whlch polnL Lhe 8CM
asked Lhe C8A noL Lo noLlfy Lhe publlc lrlday of Lhe breach ln order Lo lnvesLlgaLe.
WhaL ls Lroubllng abouL Lhls Llmellne ls Lhe obvlous gap beLween Lhe lnformaLlon on PearLbleed belng made
publlc on Monday Aprll 7
Lh
and Lhe sLaLemenLs made by senlor sLaff Lo arllamenL on 1uesday Aprll 8
Lh
whlle Lhe
sysLem was sLlll wlde open for poLenLlal hacklng. Was Lhe AsslsLanL Commlssloner and Chlef rlvacy Cfflcer
belng kepL ln Lhe dark abouL Lhe PearLbleed bug? Cr dld Lhe C8A assume lLs flrewall made lL lmpervlous Lo any
poLenLlal hacklng Lhrough Lhe dlscovery of Lhls back door bug LhaL was shaklng up Lhe Lech world? Whlle Lhe
8CM dld ask Lhe C8A noL Lo Lell Lhe publlc lrlday Aprll 11
Lh
of Lhe breach for lnvesLlgaLlonal purposes, Lhls does
noL change Lhe facL LhaL Lhe C8A only shuL down Lhelr webslLe Lhe nlghL of 1uesday Aprll 8
Lh
, almosL a full day
afLer Lhe Cpen SSL SecurlLy Advlsory.
ln order Lo reassure Canadlans LhaL you are able Lo proLecL Lhelr personal daLa can you explaln:
LxacLly who noLlfled Lhe C8A of Lhe PearLbleed bug and Lhe vulnerablllLles lL causes?
When dld Lhe C8A learn LhaL Lhe PearLbleed bug was ln Lhe sysLem and were any precauLlonary checks
made when Lhe Lech world was lnformed on Monday?
Why dld Lhe C8A delay shuLLlng down Lhelr web operaLlons unLll 1uesday nlghL afLer news of PearLbleed
was made publlc and rapldly spread Monday?
Why was Mrs. Cardner-8arclay reassurlng Canadlans of Lhe safeLy of Lhelr personal lnformaLlon when
knowledge of Lhe LhreaL of PearLbleed for all open-source securlLy sofLware was publlcly avallable for
almosL a full day? uld Lhe C8A noL reallze Lhe poLenLlal harm of Lhls bug or were Lhey slmply noL aware
of lLs exlsLence?
AddlLlonally, lL has slnce been revealed LhaL banks and credlL unlons were able Lo proLecL Lhemselves from Lhe
PearLbleed bug. Why was Lhe C8A unable Lo provlde Lhe same level of proLecLlon for Canadlans? lL seems
evldenL LhaL Lhe governmenL ls noL as well equlpped as prlvaLe companles ln qulckly deLecLlng and reacLlng Lo
onllne securlLy LhreaLs. ln facL, securlLy experLs are now warnlng LhaL Lhe daLa breach could be far worse Lhan
Lhe LhefL of [usL 900 people. Canadlans need Lo know whaL happened durlng Lhe Lwo-year perlod when
governmenL sysLems were sub[ecL Lo Lhe same PearLbleed vulnerablllLy. Can you assure Canadlans LhaL Lhelr
personal lnformaLlon was safe durlng Lhese Lwo years?
We have learned Lhrough arllamenLary LesLlmony LhaL your deparLmenL had no proLocols for Lracklng breaches
prlor Lo 2012 unLll you were pushed Lo Lake acLlon by Lhe offlclal opposlLlon. Pave you begun Lo puL ln place
proLocols as a resulL of Lhe PearLbleed lncldenL? As Lhe C8A holds Lhe personal flnanclal lnformaLlon of mllllons
of Canadlan Laxpayers and buslnesses, Canadlans need Lo hear clear and dlrecL answers on Lhls serlous breach.
We look forward Lo hearlng from you.
Slncerely,


Charlle Angus, M


Murray 8ankln, M