You are here

Security Notice: Heartbleed SSL Vulnerability

11/04/2014

Like many sites on the Internet, our catalogue, BiblioCommons was vulnerable to a bug that may have compromised data in transit (not data in BiblioCommons’ database) on encrypted https pages.  BiblioCommons was running a current version of OpenSSL which was vulnerable to the HeartBleed bug until a fixed version was posted at 5:00pm, April 8, 2014.

Here is the status of the impact of the Heartbleed virus on Ottawa Public Library web services:

- Logins to the main site, databases and eBooks are through a centralized sign-on process which flows through BiblioCommons.  BiblioCommons uses this coding to secure its logins but this was patched April 8 at 5:00pm and is therefore no longer vulnerable.  Usernames and passwords typed in during active sessions could have been exploited using this bug before the patching took place.  The vendor has reviewed the logs and does not see any evidence of a security breach.

- Our ePayment service does not use this coding and, therefore, collected credit card information was not vulnerable from the OPL website.

For added protection, we recommend that everyone change their PINs in the event that their BiblioCommons accounts were compromised before the patch was applied. 

FAQ:

Q: When did BiblioCommons first learn about Heartbleed and what did you do?

A: BiblioCommons first learned about the issue on the morning of April 8 and determined that the version of OpenSSL we were using was vulnerable. BiblioCommons engineers updated OpenSSL libraries by 5:14 PM EDT.

Q: What information was vulnerable?

A: Any information that appears on or is transmitted through a secure (https) page, including name, barcode, PIN/password, email address, year and month of birth, recently returned items, fines, and other preferences.

Note that BiblioCommons does not fetch or store your address or phone number.

Q: What about fines paid through the library? Was credit card data at risk?

A: Our ePayment service does not use this coding and, therefore, collected credit card information was not vulnerable from the OPL website.

Q: Do you know if any patron information was comprised?

A: It’s not possible for anyone to tell, but at this point we have no reason to believe patron data was compromised.

Q: Why were some sites vulnerable and others not?

A: Not every site uses OpenSSL, and not all versions were affected. Unfortunately, sites such as BiblioCommons using newer and better versions of OpenSSL were vulnerable.

Q: Should I change my PIN?

A: Yes. That’s a good idea any time there has been a potential breach of personal information. It’s good practice to change your PIN/password regularly, and use something you don’t use on any other site.

Q: What does my library need to ensure they have done to protect patron information?

A: Whether or not your library needs to take further steps with other services aside from BiblioCommons will depend on those services and the encryption protocol those services use. Please contact your library for further information.

Q: What steps does BiblioCommons have in place to protect patron and other personally identifiable data?

A: Please see our Privacy Policy. There’s a link at the bottom of every page in your library catalog.

Q: How can I see if my library — or another service I use that may have my data — is still vulnerable?

Q:  Where can I get more information on the Heartbleed vulnerability?

A: You can get more information from the site where the bug was originally reported: http://heartbleed.com.