Tax agency cuts off public access to electronic services over security worries
OTTAWA — With tax-return season in full swing, the Canada Revenue Agency suddenly locked down its online filing services on Wednesday, fearful of a new vulnerability in software used by much of the world to safeguard secure websites on the Internet.
All of the federal government’s online systems were under review after word of the so-called “Heartbleed” computer bug prompted the tax agency to pull the plug on its electronic services as a precaution.
“As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold,” the agency said in a statement.
The shutdown came after the Canadian Cyber Incident Response Centre (CCIRC) issued a warning to system administrators about the coding flaw. It recommended that system operators unable to plug in an immediate fix get off the grid.
Other federal systems were also being assessed for their vulnerability to the threat, said Antoine Ouellon, a spokesperson for Shared Services Canada, the federal agency that oversees the government’s IT infrastructure.
“Shared Services Canada is working with departments and Public Safety Canada to assess all IT systems to identify the extent of the problem and to apply solutions, including implementing patches, as required,” Ouellon said in a statement.
It was not immediately clear Wednesday whether any other online government would have to be taken off-line.
The Canada Revenue Agency services that were affected by Wednesday’s outage included the electronic tax-filing systems Efile and Netfile, as well as access to business and personal account data stored by the system.
The agency said it was working to restore safe and secure access and expected the site to be back online “over the weekend.”
The agency also took steps to reassure anxious would-be tax filers, suggesting that anyone who was prevented by the shutdown from filing a return on time would not be penalized.
The minister of National Revenue has confirmed that individual taxpayers will not be penalized for this service interruption,“ the agency said later Wednesday.
“We continue to investigate any potential impacts to taxpayer information, and to be fully engaged in resolving this matter and restoring online services as soon as possible in a manner that ensures the private information of Canadians remains safe and secure.”
It is a busy time of year for the tax agency, as people file returns electronically and track the progress of refunds online.
As of the end of March, the agency had received 6.7 million returns, with 84 per cent filed electronically.
The computer bug was reportedly detected last week by Internet security experts in Finland and researchers at Google, but only revealed widely within the online security community on Monday.
Heartbleed affects open-source software called OpenSSL that’s at the very core of millions of applications used to encrypt Internet communications. Experts warn that its impact on consumers could be significant.
It can reveal the contents of a computer server’s memory, including private data such as user names, passwords, and credit card numbers.
But the flaw also allows hackers to obtain copies of a server’s digital keys, and use them to impersonate other servers and fool people into thinking they are using a legitimate website.
A number of large global websites, such as Google, Facebook and Yahoo, have said they were either in the process of fixing the problem or had already dealt with the threat.
The Canadian Bankers Association, which represents some 59 domestic and foreign banks, said Wednesday that the online banking applications of Canadian banks were not affected by the bug.
“TD already has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk,” said Barbara Timmins, a spokeswoman at TD Bank Group.
“While we don’t recommend any specific actions to TD customers as a result of this vulnerability, we always recommend that customers change their passwords regularly,” she added.
RBC spokesman Jason Graham added that while the bank takes every threat seriously, RBC websites “have not been affected by the Heartbleed security bug.”
Despite the fact the problem is global in scope, NDP Leader Tom Mulcair wasted no time in blaming the federal Conservative government for failing to adequately protect and provide services to Canadians.
“The Conservatives are such poor public managers that they can’t deliver the grain, they can’t even deliver the mail and now at tax time they can’t even communicate with Canadians through the revenue agency,” Mulcair said.
Liberal Leader Justin Trudeau said only that he would support any measures needed to battle the bug.