OTTAWA - The Canada Revenue Agency says it has temporarily cut off public access to its electronic services over security concerns, preventing Canadians from being able to file their taxes online.
"We have received information concerning an Internet security vulnerability named the Heartbleed Bug," the agency said in a statement posted on its website Wednesday morning. "As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold."
The affected services include EFILE, NETFILE, My Account, My Business Account and Represent a Client.
The agency said it is working to restore safe and secure access as soon as possible.
It is a busy time of year for the tax agency, as people file returns electronically and track the progress of refunds online.
As of the end of March, the agency had received 6.7 million returns, with 84 per cent filed electronically.
CRA said consideration will be given to taxpayers who are unable to comply with their filing requirements because of the service interruption.
FACTS ABOUT THE HEARTBLEED COMPUTER BUG
The Heartbleed computer bug has implications well beyond information technology circles. But how serious is the risk? Who and what is affected? Here are five key things to know about Heartbleed:
What is Heartbleed?
It's a flaw in a widely used security technology known as OpenSSL. Sites using SSL commonly begin with HTTPS and feature a padlock icon to let users know information is being encrypted. Data potentially exposed by the programming flaw includes usernames, passwords, photos and credit card details. According to Mark Nunnikhoven, vice-president of Cloud and Emerging Technologies at security firm Trend Micro, OpenSSL is the most commonly used security protocol and is in place on roughly two-thirds of secure websites.
The Good, the Bad and the Ugly:
Nunnikhoven says not all sites using OpenSSL are vulnerable to Heartbleed, since only certain versions of the code are impacted. Security and analysis firm Netcraft estimates only 17.5 per cent of sites are currently exposed to the bug. Still, that amounts to at least half a million security certificates issued by some of the web's heaviest hitters. These include Twitter, Yahoo, Tumblr, Dropbox and some international banks. Worst of all is that the bug, although only just recently discovered and made public, has been in existence for at least two years.
"When everybody hears about it, you can kind of assume that the really bad guys probably already know about it and have known about it for a little while," said Nunnikhoven.
Nunnikhoven says there's no foolproof way to know whether your information has been exposed, adding the onus falls on individual companies to disclose whether or not their data has been compromised. Some, like Yahoo, have been transparent about the fact that their information was vulnerable and have outlined the steps they're taking to plug the security hole. Others have been mum on what impact Heartbleed may have on their users. Nunnikhoven urges web users to check in with websites regularly for updates on Heartbleed exposures and fixes. He says patches are widely available and should be implemented in the next few days.
How to protect yourself?
Nunnikhoven says the best course of action is to change your passwords, but only once sites have clearly indicated that they're not at risk from Heartbleed. He says such indications could come from email communications or statements clearly posted on company websites.
"As a user I would look for that type of information, and if it's not there I would either decide, 'I don't want to use this service today, I'll wait till they put it there," or decide it's worth the risk. Most of the time, it's not."
The Canadian story:
One piece of good news is that Canadian banks appear to have dodged the bullet. A statement from the Canadian Bankers Association says "The online banking applications of Canadian banks have not been affected by the Heartbleed bug." The Canada Revenue Agency has temporarily shut down its website as a precautionary measure, though Nunnikhoven says there's no indication that data has actually been compromised.