Researchers have identified a potential security threat in the encryption technology that is supposed to protect online accounts for e-mails, instant messaging and a wide range of electronic commerce.PEDRO NUNES
The Heartbleed security bug has sent a chill through the world of e-commerce, even though most companies that count on the Internet to do business say they have put fixes in place to make sure they are not vulnerable.
While the bug has been around for as long as two years, the issue came to a head Wednesday when the Canada Revenue Agency (CRA) said it had blocked public access to its online services because of concerns over potential security breaches.
The flaw in OpenSSL, a common encryption technology, can expose passwords and personal information to hackers.
Many Canadian firms with widely used Internet sites said they have already dealt with the problem, or they haven't been affected, so clients shouldn't worry. Accountants who file client tax returns, however, are apoplectic about the CRA shutdown.
The Canadian Bankers Association said the online banking operations of the country's banks have not been hit by the bug, thanks to their sophisticated security systems and active monitoring. Toronto-Dominion Bank said it "has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk."
The two biggest airlines weren't hit either. Air Canada said it wasn't affected, while WestJet Airlines Ltd. said the airline has taken no special action. "We've assessed our systems in light of this bug and determined that thanks to a number of existing security features, our risk is low," WestJet spokesman Robert Palmer said.
Wal-Mart Canada said the version of the software it runs on its site has not been hit by the security issue, while Amazon.ca, Indigo Books & Music Inc. and Rogers Communications Inc. said they weren't affected. Nor was medical testing lab LifeLabs Medical Laboratory Services.
Others, such as Manulife Financial Corp., would not comment about security issues. Sun Life Financial Inc. would say only that "security and safety remain a top priority for the organization."
American companies were more forthcoming, although few admitted to widespread security breaches.
A spokesman for Facebook Inc. said it had added protection to its version of OpenSSL before the issue was publicly disclosed, adding that individual users should still be vigilant about their passwords. "We haven't detected any signs of suspicious account activity that would suggest a specific action," he said.
At Yahoo Inc., which was hit, the company has now "successfully made the appropriate corrections across our entire platform," a spokesperson said.
Google Inc. said it "fixed this bug early" and users do not need to change their passwords. Still, while the patches have been make to all the key Google services such as its search function, Gmail and YouTube, the company acknowledged that some other services still need to be fixed.
Meanwhile, Canadian accountants were scrambling to deal with the temporary shutdown of the CRA website because of the bug, just three weeks ahead of the April 30 deadline for filing personal income tax returns.
"This is crazy. We can not e-file any returns today, which is definitely delaying things on our end," said Wayne Bewick, a chartered professional accountant with Trowbridge Professional Corp. in Toronto, who estimates that 70 per cent of the firm's filing is done over the Internet.
In a statement on its website, the CRA said that it anticipates that services will resume "over the weekend," and that "individual taxpayers will not be penalized for this service interruption." It did not give any details as to whether it would extend the deadline or by how long.
"The timing is insanely terrible. Because we are getting into the heart of tax season now," Mr. Bewick said, adding that even a four- or five-day delay in getting the site back up and running safely would be "a hassle."
Mr. Bewick said the CRA would likely "extend the e-filing deadline as well so that there will likely be an additional week to get things done."
In addition to not being able to file taxes electronically, accountants use the tax agency's website to find information about their clients, such as their Registered Retirement Savings Plan contribution limits, their T4 slips and pension details.
"For accountants, this is a big deal because we use this site regularly," said Mark Goodfield, a tax accountant and managing partner with Cunningham LLP in Toronto. "So it hampers us."
Robin Taub, a CPA, CA and owner of Robin Taub Financial Consulting, said that undoubtedly, some companies are frustrated. "This affects a lot of people because the personal filing tax deadline is soon, but this also affects corporations and people who own businesses."
Many business owners use the CRA site to access their GST/HST, payroll, and other accounts online, Ms. Taub said. "The scope goes beyond the personal tax filing deadline."
The shutdown of the site is inconvenient, she said. "But in a way, this would be the best outcome – inconvenience – as opposed to identity theft or fraud."
With files from reporters Tim Kiladze, Bertrand Marotte and Marina Strauss
Roma Luciw