Canada Revenue Agency Halts Online Tax Filing in Response to Heartbleed Bug

UPDATE: The CRA says the security risk has been addressed. The tax return deadline has been extended five days to May 5.

ORIGINAL: The Canada Revenue Agency has taken preventative measures to protect against the newly discovered “Heartbleed Bug.”

In response to the bug’s reveal, which could expose masses of critical personal financial information, the CRA has temporarily halted online tax filing tools for both individuals and businesses.

Quoth The Wall Street Journal:

Heartbleed exploits a problem in certain versions of OpenSSL, a free set of encryption tools used by much of the Internet. The flaw could expose reams of data that are meant to be private, cybersecurity experts say. This week, website operators, among them Yahoo Inc., raced to fix the flaw, which could reveal the contents of a server’s memory, where sensitive data including passwords and credit-card numbers are stored.

A spokeswoman for Canada’s Revenue Minister told the WSJ that the agency decided to shut down its online filing tools “as a precaution until the agency can be sure the risks have been eliminated.”

And here’s part of a statement the CRA sent to The Toronto Star:

The CRA recognizes that this problem may represent a significant inconvenience for individual Canadians, representatives and businesses that count on the CRA for online information and services. Please be assured that we are fully engaged in resolving this matter and restoring online services as soon as possible in a manner that ensures the private information of Canadians remains safe and secure.

The CRA added that it is committed to investigating any potential impacts to taxpayer information.”



In related news, the CRA confirmed that nearly 1,000 social insurance numbers were compromised during a six-hour window of vulnerability caused by the Heartbleed Bug, despite the agency shutting down its public online services.

“Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said in a statement this morning. “Based on our analysis to date, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”

“The agency will not be calling or emailing individuals to inform them that they have been impacted—we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes,” the fiscal department added.

Instead the CRA will be notifying via snail mail.



While some key sites, such as Apple services Canadian bank websites, are safe, many—including some government sites—remain vulnerable.

Last week the Chief Information Officer for the Government of Canada issued a directive to all federal government departments to immediately disable public websites that are running unpatched OpenSSL software.

“This action is being taken as a precautionary measure until the appropriate security patches are in place and tested,” says the government. “The Heartbleed bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.”

“We understand that this will be disruptive,” the government added, “but, under the circumstances, this is the best course of action to protect the privacy of Canadians.”