The theft announced this morning of 900 social insurance numbers (SIN) from the Canada Revenue Agency computer system is a story about the Heartbleed bug, but it is also a media story. It appears clear that the theft of these numbers occurred after the enormous furore in the media alerted hackers to the opportunity for such theft, and before CRA responded by shutting down access to the machine. The whole thing occurred during a six-hour period after the security flaw was discovered. Andrew Treusch, Commissioner of Revenue at the agency, said in a statement the CRA is currently investigating the removal of other data, some of which “relate to businesses.” No other information was immediately available. The circumstances of the theft raise again the timeless question of just when the public good is actually damaged by the unrestrained broadcast of such news. Historically, we always come down on the side of instant dissemination, and this may indeed be the right choice. But there is no doubt that the mad release of all information instantly can be a mixed blessing, related as much to making money as it is to the public good. The Heartbleed case is a good example of the former. This previous post notes how harmless the software flaw remained as long as it lay quietly unreported. How much smarter it would have been to fix Heartbleed first, if possible, before announcing to the general public that the flaming disintegration of the cyber-world as we knew it was at hand.