On Wednesday, April 9, the Alberta Ombudsman was made aware this website, and the website for the Public Interest Commissioner (www.yourvoiceprotected.ca) were some of the thousands of sites around the world vulnerable to the so-called Heartbleed loophole, or bug.
News stories indicate websites using OpenSSL for site security (including Yahoo, the FBI, the Canada Revenue Agency, and our sites) were vulnerable. The loophole had the potential to allow hackers to snoop on website traffic.
This means a third party could have intercepted information submitted through online complaint forms on this site. We have no evidence of any breach, and steps were taken to immediately fix the issue so we are no longer vulnerable. However, the possibility exists the loophole may have compromised some information before the fix was installed.
The Ombudsman website was launched on November 27, 2013. The Public Interest Commissioner’s website was launched on March 31, 2014. Both sites feature online submission forms that potentially were vulnerable. However, on the Ombudsman website, any potential attacker would have to breach additional layers of security.
The Public Interest Commissioner’s online Disclosure of Wrongdoing and Complaint of Reprisal Forms are currently available as PDFs, so personal information would not have been at risk from this particular issue. The previous Public Interest Commissioner website, offering online submission forms from August 20, 2013 to March 31, 2014, was hosted by Service Alberta. They have advised us the site was not susceptible to the Heartbleed vulnerability.
We understand the concern this may cause visitors to the site. Although there is no indication any breach occurred, we have reported this matter to the Office of the Information and Privacy Commissioner. Both the Alberta Ombudsman and Public Interest Commissioner offices will continue to monitor website security, and work to incorporate the most suitable website technology to ensure your information is safe and secure.
We take seriously your privacy and confidentiality. If you have any questions or concerns, or experience technical difficulties with our site, contact us via phone at:
1-888-455-2756 (toll-free province-wide)
Or via email at firstname.lastname@example.org
UPDATE: Click here to download an April 14 bulletin issued by the Office of the Information and Privacy Commissioner with further information about protecting your privacy from Heartbleed.