News & Resources

Businesses should take steps against Heartbleed bug to prevent identity theft

Apr 23, 2014 Walt Wojciechowski

The now-infamous Heartbleed bug put Internet users at risk for identity theft, which can wreak havoc on their consumer credit data. Businesses that suspect they are impacted should implement measures to prevent data breaches.

Codenomicon announced on April 7 that it had discovered a major vulnerability in OpenSSL software, which many companies use to encrypt information on their websites. It allowed hackers to exploit a system protocol and view usernames, passwords, security keys and other content intended to be inaccessible. This access reportedly leaves no trace.

This bug has been active in OpenSSL releases for two years. It was discovered by Neel Mehta, a member of the Google Security Team, according to the security advisory released by OpenSSL.

Data breech puts users at risk
Businesses should recognize that this bug puts their clients at risk for identity theft if they have been using OpenSSL for encryption on their websites. Codenomicon has said that it's unknown whether this bug was ever actively exploited before its existence was made public, but, again, it's possible to take advantage of Heartbleed without leaving any evidence of the hacking.

It's notable that users entering information into front public-facing pages isn't the only way this bug can leave clients open to identity theft. While logins and payment pages are vulnerable, any device using OpenSSL can be attacked, stated Kelly Jackson Higgins of InformationWeek's DarkReading. This includes internal servers and VPN networks, on which companies may store consumer data that clients gave the company but didn't enter on a website.

Businesses already experiencing identity theft
Some businesses have already had client information compromised in the wake of the bug's announcement.Perhaps most notably, the Canada Revenue Agency has been affected. According to a statement released by the CRA, the Social Insurance numbers of about 900 Canadian citizens were fraudulently accessed on April 8, while it was attempting to patch the bug. SINs allow for credit cards to be opened, loans to be taken out and other activities that can do serious harm to a consumer credit report.

Steps to take
There are a few steps businesses can take to prevent identity theft. If a breach has already occurred, a company can consider offering credit protection services to affected clients and adding extra security and identification verification measures to their websites. This is what the CRA did in the wake of its own data breach. The Computer Emergency Response Team announced the day of the bug being made public that a patch had been constructed that fixes vulnerabilities, and all companies that use OpenSSL should apply this fix as soon as possible, preventing any future data breaches.