What you need to know about Canada Revenue Agency's 'internet vulnerability'

The CRA's electronic tax filing services have been restored, but you might be wondering how the CRA got into this situation in the first place.

Has the CRA been hacked? How serious was the bug? And what's an Apache Struts 2?

As far as officials know, no data was taken during a recent 'internet vulnerability' at the Canadian Revenue Agency. But CRA did identify and patch a bug that could have been used to do so. (Benoit Tessier/Reuters)

Canada Revenue Agency took its website offline over the weekend — a precautionary measure, officials said, while they dealt with an unspecified "internet vulnerability."

The agency's digital services have since been restored and government officials said no personal information was compromised.

But you may be wondering how CRA got into this situation in the first place. Here's what you need to know.

So, uh, has Canada Revenue Agency been hacked?

"If an organization is concerned about security, they're going to focus on patching that very quickly- Ryan Wilson, CTO of Scalar Decisions

Not as far as we know. But the department did find a vulnerability in some of its software that could have been used to launch an attack.

CRA said they haven't seen any evidence such an attack happened, or that data was taken, which means your personal information — your SIN, your financial information, your password, your phone number, your addresses — is likely safe.

Still, officials said they're undertaking a forensic examination of the affected servers.

Why take parts of the agency's website down?

CRA said the move was a preventative measure — and cybersecurity expert Ryan Wilson said that's not unusual.

"In a lot of cases, organizations that have sensitive web applications, they'll have what's called a web application firewall, which will typically let you stop this attack before it gets to the server," said Wilson, chief technology officer for Toronto-based security company Scalar Decisions.

"For whatever reason, it looks like they were not available to do that, and their next best available option was to pull down the server and patch it."

So was this was a serious bug?

Pretty serious. If exploited, attackers could pull off something called "remote code execution," which is really just another way of saying "do whatever they want on your server" (more or less). That's bad, especially if it's a server with sensitive data — or could be used to jump to another server with sensitive data.

The severity of the bug, the sensitivity of taxpayer data and the fact that the wider security community reported the bug as being actively exploited elsewhere on the internet — which officials called "a specific and credible threat" — all factored into the government's decision to take the CRA's electronic filing services offline.

Wilson called the vulnerability "something that, if an organization is concerned about security, they're going to focus on patching... very quickly." 

OK, but what sort of software are we talking about? Is it something I have installed on my own computer?

Probably not. By software, we mean something called Apache Struts 2. It's a bunch of code that developers use to create web applications with the Java programming language. It's open source software — free for anyone to download, modify and use.

Statistics Canada's servers were also affected — and attackers even gained access for a brief period. (Baz Ratner/Reuters)

CRA uses Apache Struts in the electronic filing portions of its website, which is why those services were taken offline. The bug was found in a part of the Apache Struts 2 software that handles file uploads.

Wait, the government is using free software in important systems?

Yeah. This is actually pretty common — Apache, for example, is one of the most widely used web server software packages around. Most organizations use a mix of free open source and commercial software.

While there are "pros and cons to using commercial versus open source," Wilson said, there's "not one that's a clear winner over the other from a security standpoint."

Was CRA the only government department affected?

No. Government officials also revealed that some Statistics Canada servers were vulnerable, too — and that an attacker actually gained access for a brief period of time. (It's not yet clear who was responsible in that case.) The affected Statistics Canada servers were then taken offline and patched, while network-based protections were put in place to block any additional attacks — something Wilson said typically buys IT staff time to patch servers without causing too much downtime.

But for whatever reason, the government's IT department determined that the network-based protections were not working as expected, and so the decision was made to take the CRA's servers offline and patch them then and there.

So is it safe to file my taxes online?

On the one hand, no piece of software is ever 100 per cent secure — something that government officials acknowledged in their Monday briefing with reporters.

On the other, officials offered the typical reassurance that "government systems are secure and reliable," and called their response "an example of the system working really well."

Wilson agreed. "I think in many ways it's a great example where an organization saw that there was risk in this vulnerability, and actually took action in a reasonable time frame to rectify the issues on their systems."


Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.