The Canada Revenue Agency (CRA) has temporarily halted online activity in light of security concerns stemming from a vulnerability that is affecting systems around the world, otherwise known as the Heartbleed Bug.
Services including the CRA’s EFILE, NETFILE, My Account, My Business Account and Represent a Client have all been affected.
The Heartbleed Bug is a vulnerability in the open-source library OpenSSL, which can allow hackers to attack and read the memory of a web server, which can include the personal information of millions of people.
Today the Toronto Star reported that the CRA’s decision to shut down its online services comes just three weeks before the April 30 deadline to file personal income tax returns.
The agency acknowledged the problem may “represent a significant inconvenience for individual Canadians who count on the CRA for online information and services,” it said in a posting on its website on Wednesday afternoon.
“Recognizing this, the Minister of National Revenue has confirmed that individual taxpayers will not be penalized for this service interruption,” the CRA told the Star.
After it learned of the Heartbleed bug, the CRA said on its website that it “acted quickly as a preventative measure, to temporarily shut down public access to our online services to safeguard the integrity of the information we hold.”
“We are currently working on a remedy for restoring online services and, at this time, anticipate that services will resume over the weekend.”
Earlier today we chatted with PasswordBox’s chief security officer Richard Reiner, who told us that the “potential impact of the issue is pretty nasty”, potentially leading to “the disclosure of all sorts of things that individuals and businesses don’t want disclosed.”
However, “If someone was in a cautious mood they might want to to go around and change some of their passwords, as many ecommerce owners and website owners are changing the cryptographic keys that they use in their SSL certificates, they’re refreshing the certificates with new keys because its possible that those were exposed,” Reiner told BetaKit.
For businesses (like the CRA), Reiner said he thinks “it’s reasonable for a site owner to do that because the impact of one of those sites being exposed is across millions of individuals, even if there’s no hard evidence it was being exploited. If you’re responsible for hundreds of millions of people, you might want to just take the hour out of your day and do that. For individuals it’s not bad advice to say that people should change some of their passwords.”