Skip to main content

The Canada Revenue Agency headquarters in Ottawa is shown on Nov. 4, 2011.

SEAN KILPATRICK/THE CANADIAN PRESS

A major cybersecurity flaw that exposes encrypted information to hackers has forced the Canada Revenue Agency to shut down its filing system and push back the deadline for online returns.

The flaw, which is known as Heartbleed and affects systems that are designed to protect sensitive information, has major websites around the world rushing to patch a hole that leaves users' passwords vulnerable to exploitation.

The CRA shut down its online services on Tuesday evening, just three weeks before the April 30 tax deadline, and is not planning to restore public access until at least the weekend. For taxpayers, the penalty-free deadline will be pushed back for as long as the shutdown.

Story continues below advertisement

The CRA said the move was considered precautionary, because there is no evidence of a breach.

Heartbleed, however, is particularly vexing to security experts because it allows hackers to slip in and out of the Internet's most deeply encrypted systems without leaving a trace. The flaw had gone undetected for more than two years, until it was revealed this week.

So far, computer experts have found no proof that anyone has exploited the flaw to steal information. But given that hundreds of thousands of web servers use the technology affected by Heartbleed, the risk is massive.

"It's all about potential," said Gerry Egan, senior director of product management at Symantec. He said that many large sites, including banks, use the vulnerable software.

Many popular websites – including Yahoo and Tumblr – confirmed they were affected and are implementing a fix. A statement posted by staff of Tumblr, a blog-sharing site, put the situation in clear terms.

"We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal e-mails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," they said. "This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like e-mail, file storage, and banking, which may have been compromised by this bug."

Canadian banks and credit unions said Wednesday that their online banking sites were not affected. The U.S. Internal Revenue Service, where Americans must file their taxes by April 15, also said it was not affected by the bug.

Story continues below advertisement

Mr. Egan said most large companies and websites have the resources to quickly fix the bug, but the greater problem lies in smaller sites that don't get around to fixing it. If a user employs the same log-in information for one of those sites as they do for their online banking account, for example, their security could be compromised regardless of what the bank's IT department does.

"Imagine you had a master key for your front door, your car, your office," said Mr. Egan. "It's really convenient, but if you lose the key and someone finds it, now you're in trouble."

Other federal departments in Canada were reviewing whether they should take specific measures in response to the bug.

Numerous respected experts in cybersecurity stressed that Heartbleed should not be taken lightly.

" 'Catastrophic' is the right word. On a scale of 1 to 10, this is an 11," wrote Bruce Schneier, an author and fellow at Harvard's Berkman Center for Internet and Society, on his blog.

The federal government is likely going through its inventory of servers to decide which websites need to be dealt with first, said cybersecurity expert Raymond Vankrimpen. "They've obviously identified this CRA website as a critical one to take offline. But I have no doubt that there are other government websites that use SSL technology," said Mr. Vankrimpen, a partner at the financial advisory firm Richter.

Story continues below advertisement

"They're probably triaging everything."

The Heartbleed bug affects a common cryptographic program called OpenSSL, and specifically how OpenSSL is used in combination with a communication protocol called the RFC6520 heartbeat.

The Ontario government confirmed that it uses OpenSSL, but it said it has not found that any information is at risk of getting hacked as a result of Heartbleed.

"As of right now, we have not seen any data, personal information or servers compromised as a result of the software flaw that has affected the federal government," said Jenna Mannone, a spokeswoman for Government Services Minister John Milloy, whose ministry oversees the collection of information for such things as health cards and drivers' licences.

The online services affected by the temporary CRA shutdown include EFILE, NETFILE and My Account, which taxpayers would normally access to track their refund or check their RRSP limit.

With reports from Omar El Akkad

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter