Heartbleed bug may shut Revenue Canada website until weekend

The Canada Revenue Agency says it expects its website to be down until the weekend because of a security issue related to the "Heartbleed bug" web vulnerability.

CRA security breech

9 years ago
Duration 3:30
Terry Milewski explains why the Canada Revenue Agency has shut down online access at tax time

The Canada Revenue Agency says it expects its website to be down until the weekend because of a security vulnerability related to the Heartbleed bug.

The tax agency's website took away the public's ability to log in late Tuesday evening, which raised concerns about a the privacy of sensitive taxpayer data.

"We are currently working on a remedy for restoring online services and, at this time, anticipate that services will resume over the weekend," the tax agency said on its website Wednesday afternoon.

"The CRA recognizes that this problem may represent a significant inconvenience for individual Canadians who count on the CRA for online information and services. Recognizing this, the minister of national revenue has confirmed that individual taxpayers will not be penalized for this service interruption."

The CRA also said it is checking to make sure no taxpayer information was compromised.

"We continue to investigate any potential impacts to taxpayer information, and to be fully engaged in resolving this matter and restoring online services as soon as possible in a manner that ensures the private information of Canadians remains safe and secure,” it said. 

The bug is a recently discovered vulnerability in a version of OpenSSL security software code that is installed on two-thirds of the active servers connected to the internet. 

The Canada Revenue Agency website blocked partial access early Wednesday due to what has become known as the Heartbleed bug. (Mark Blinch/Reuters)

A spokesperson for the Department of Shared Services responsible for federal computers said in a written statement that the Heartbleed bug  "is affecting virtually all IT systems around the world." 

The Canadian government is checking all of its networks and fixing the problem as required, the official said.

OpenSSL was believed to be comparatively safe and secure. But the Heartbleed vulnerability could allow a malicious user to read the memory of affected systems by mimicking the look of an authorized user, which would give the hacker access to sensitive information on any server with the buggy code installed.

"Essentially, they'd get a second key to your house and can walk in whenever they want," technology analyst Carmi Levy told CBC News in describing the bug on Wednesday. "Right now, server owners around the world are busy fixing that. They're trying to patch a fix to close that vulnerability."

There's an easy patch to fix the code, but it must be installed on systems retroactively. And it's very difficult to track whether any unauthorized users have accessed the loophole before it was fixed.

The CRA's move affects online tax-return filing services such as EFILE and NETFILE and also online access to account information for individuals and businesses.

Revenue Minister Kerry-Lynne Findlay told reporters the agency learned of the website vulnerability Tuesday night and CRA officials worked through the night on the issue.

"Obviously, we deal with very sensitive and personal taxpayer information on a daily basis and so we want, as a precautionary measure, to make sure that our systems are functioning and back up as soon as possible. We know it's a difficult time being tax-filing season for Canadians," Findlay said, adding, "We're on top of this."

Asked whether Canadians who have already filed their tax returns should be worried about their information, Findlay repeated that the CRA shutdown was a precautionary measure and officials are "working on it."

NDP attacks Conservative priorities

The NDP attacked the government's response to the threat, saying it shows the government doesn't put a priority on management of public services.

"The Conservatives are such poor public managers that they can't deliver the grain, they can't even deliver the mail and now at tax time they can't even communicate with Canadians through the revenue agency," NDP Leader Tom Mulcair told reporters on Parliament Hill.

"They've made [public services] their lowest priority and it's not surprising that we see it breaking down."

Liberal Leader Justin Trudeau called on the government to act quickly to solve the problem.

"I think it's extremely important that we understand that security is not just bricks and mortar any more," Trudeau told reporters.

"Technology and information security is going to be a huge area of concern in the 21st century and we have to make sure that our various agencies, particularly ones dealing with sensitive data as the CRA, are keeping up with the need to protect Canadians in virtual ways, as well as the other agencies who protect us in physical ways, and I look forward to answers from the government in the days and weeks to come."

The department of public safety first posted an advisory Tuesday warning of the OpenSSL vulnerability, saying the Canadian Cyber Incident Response Centre was aware the security flaw "could allow a remote attacker to decrypt secure (internet) traffic."

The advisory said CCIRC, the agency within Public Safety that helps protect Canada's electronic infrastructure from cyber attacks, was recommending "system administrators test and deploy" security updates to "affected platforms."

The U.S Department of Homeland Security issued its first advisory about Heartbleed on Monday.

The 2014 deadline for personal income tax filing for the 2013 tax year is at the end of this month.

The CRA tweeted a few days ago that 1,763 online returns were being processed per minute. More than 6.7 million Canadians have filed tax returns electronically as of March 24. That represents almost 84 per cent of returns.