Skip to main content

Canada Security risk not limited to those who have filed tax return online

The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called Heartbleed.

Mark Blinch/Reuters

Canadians who have never filed their taxes online might believe they are safe from the Heartbleed bug that hit websites around the world and shuttered the Canada Revenue Agency's site over security concerns.

They could be wrong, say tax specialists. Any individual or business who has employed a tax accountant in the past two years – or has simply created an online profile on the Canada Revenue website, has potentially been exposed.

Accountants regularly access the CRA website for pieces of tax information their clients might be missing, such as RRSP contribution room. The sensitive information the agency stores includes people's salaries, social insurance numbers as well as where they bank and hold their investments.

Story continues below advertisement

"If they breach the site, everyone's information is on there already – regardless of whether they have ever filed taxes online," says Mark Goodfield, a tax accountant and managing partner with Cunningham LLP in Toronto.

Accountants regularly access financial information from the tax agency's website to put together tax returns for their clients, he said. "But you if have never set up an online account or given an accountant permission to access your information online, I don't know if it would be vulnerable."

Robin Taub, owner of Robin Taub Financial Consulting, noted that the CRA servers hold Canadians' most sensitive information. "This is really scary because the CRA has your social insurance number, your date of birth, your financial information, basically everything someone would need to steal your identity or commit fraud," he said.

Governments and companies around the world are scrambling to patch a major vulnerability that became widely known only this week. There is no evidence to indicate the weakness has been exploited, however security experts say the problem is that there is no way to trace whether someone has used the opening to steal sensitive information.

The Canada Revenue Agency shut down its electronic filing services Tuesday evening and said in an updated statement Thursday that the April 30 filing deadline will be extended by the same duration as the shutdown.

"In keeping with industry practice, we are currently implementing a solution, or 'patch,' for the bug, and are vigorously testing all systems to ensure they will be safe and secure once the site is relaunched," a note on the CRA's website said.

A spokeswoman for Revenue Minister Kerry-Lynne Findlay said Thursday that services will be back up soon. "CRA is currently working on a remedy for restoring online services and, at this time, anticipate that services will resume soon," said Rebecca Rogers in an e-mail.

Story continues below advertisement

Other departments are also looking into the issue, but it is not clear what actions have been taken.

A spokesperson for Shared Services Canada – which manages a wide-range of programs like payroll and IT for numerous federal departments – said in a statement that it "is working with departments and Public Safety Canada to assess all IT systems and to apply solutions as required."

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter