A major international security concern has forced the shutdown of electronic filing services at the Canada Revenue Agency, and there are concerns the problem could affect other government systems as well.
The CRA “is currently working on a remedy for restoring online services and, at this time, anticipate that services will resume over the weekend,” it says in a statement on its website. “The Minister of National Revenue has confirmed individual taxpayers will not be penalized for this service interruption.”
The tax agency temporarily cut off public access to its electronic services Wednesday, saying the action was taken as a precaution.
“We have received information concerning an Internet security vulnerability named the Heartbleed Bug,” the agency said in a statement posted on its website.
“As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold.”
The shutdown came after the Canadian Cyber Incident Response Centre (CCIRC) issued a warning to system administrators about the coding flaw. It recommended that system operators unable to plug in an immediate fix get off the grid.
The affected services at CRA include EFILE, NETFILE, My Account, My Business Account and Represent a Client.
The agency said it is working to restore safe and secure access as soon as possible.
It was unclear just how long it might take to ensure the agency’s computers are secure, but Revenue Minister Kerry-Lynne Findlay indicated it could be some time before the system was back up and running, noting that the agency would post updated information on its website “daily.”
“We’re investigating, we’re working on it,” Findlay told reporters.
However long it takes, the revenue agency tried to reassure tax filers Wednesday, suggesting that people unable to file on time as a result of the shutdown would not be penalized.
“Please note that consideration will also be given to taxpayers who are unable to comply with their filing requirements because of this service interruption,” the agency said on its website.
It is a busy time of year for the tax agency, as people file returns electronically and track the progress of refunds online.
As of the end of March, the agency had received 6.7 million returns, with 84% filed electronically.
The computer bug was reportedly detected last week by Internet security experts in Finland and researchers at Google, but only revealed widely within the online security community on Monday.
Heartbleed affects open-source software called OpenSSL that’s at the very core of millions of applications used to encrypt Internet communications.
And experts warn that its impact on consumers could be significant.
It can reveal the contents of a computer server’s memory, including private data such as user names, passwords, and credit card numbers.
But the flaw also allows hackers to obtain copies of a server’s digital keys, and use them to impersonate other servers and fool people into thinking they are using a legitimate website.
As Canada’s tax collection agency was making the decision to go offline, a number of large websites, such as Google, Facebook and Yahoo said that they were either fixing the problem or had already dealt with the threat.
Banks say data safe
Canada’s major banks were also scrambling to reassess their systems, with at least two assuring clients that measures were in place to prevent any loss of information.
“TD already has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk,” said Barbara Timmins, a spokeswoman at TD Bank Group.
“While we don’t recommend any specific actions to TD customers as a result of this vulnerability, we always recommend that customers change their passwords regularly,” she added.
“That said, TD has intelligent and multi-layered authentication, so there are multiple safeguards in place to protect customers.”
RBC spokesman Jason Graham added that while the bank takes every threat seriously, RBC websites “have not been affected by the Heartbleed security bug.”
The Canadian Bankers Association also released a statement. “The online banking applications of Canadian banks have not been affected by the Heartbleed bug. Canadians can continue to bank with confidence.
“Banks have sophisticated security systems in place to protect customers’ personal and financial information, including encryption and other measures.
“As part of a normal course of business, the banks actively monitor their networks and continuously conduct routine maintenance to help ensure that online threats do not harm their servers or disrupt service to customers.”
While the problem is international in nature, Opposition NDP Leader Tom Mulcair was quick to pounce on the Harper Conservatives for failing to adequately protect and provide services to Canadians.
“The Conservatives are such poor public managers that they can’t deliver the grain, they can’t even deliver the mail and now at tax time they can’t even communicate with Canadians through the revenue agency,” Mulcair said.
Liberal Leader Justin Trudeau, however, was prepared to cut the Tories some slack, saying he would support any measures needed to battle the bug.