The Canada Revenue Agency (CRA) has temporarily halted online activity in light of security concerns stemming from a vulnerability that is affecting systems around the world, otherwise known as the Heartbleed Bug.
Services including the CRA’s EFILE, NETFILE, My Account, My Business Account and Represent a Client have all been affected.
The Heartbleed Bug is a vulnerability in the open-source library OpenSSL, which can allow hackers to attack and read the memory of a web server, which can include the personal information of millions of people.
Today the Toronto Star reported that the CRA’s decision to shut down its online services comes just three weeks before the April 30 deadline to file personal income tax returns.
The agency acknowledged the problem may ârepresent a significant inconvenience for individual Canadians who count on the CRA for online information and services,â it said in a posting on its website on Wednesday afternoon.
âRecognizing this, the Minister of National Revenue has confirmed that individual taxpayers will not be penalized for this service interruption,â the CRA told the Star.
After it learned of the Heartbleed bug, the CRA said on its website that it âacted quickly as a preventative measure, to temporarily shut down public access to our online services to safeguard the integrity of the information we hold.”
âWe are currently working on a remedy for restoring online services and, at this time, anticipate that services will resume over the weekend.â
Earlier today we chatted with PasswordBox’s chief security officer Richard Reiner, who told us that the âpotential impact of the issue is pretty nastyâ, potentially leading to âthe disclosure of all sorts of things that individuals and businesses donât want disclosed.”
However, âIf someone was in a cautious mood they might want to to go around and change some of their passwords, as many ecommerce owners and website owners are changing the cryptographic keys that they use in their SSL certificates, theyâre refreshing the certificates with new keys because its possible that those were exposed,â Reiner told BetaKit.
For businesses (like the CRA), Reiner said he thinks “it’s reasonable for a site owner to do that because the impact of one of those sites being exposed is across millions of individuals, even if thereâs no hard evidence it was being exploited. If youâre responsible for hundreds of millions of people, you might want to just take the hour out of your day and do that. For individuals itâs not bad advice to say that people should change some of their passwords.â