Skip to main content

The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called Heartbleed.Mark Blinch/Reuters

Canadians who have never filed their taxes online might believe they are safe from the Heartbleed bug that hit websites around the world and shuttered the Canada Revenue Agency's site over security concerns.

They could be wrong, say tax specialists. Any individual or business who has employed a tax accountant in the past two years – or has simply created an online profile on the Canada Revenue website, has potentially been exposed.

Accountants regularly access the CRA website for pieces of tax information their clients might be missing, such as RRSP contribution room. The sensitive information the agency stores includes people's salaries, social insurance numbers as well as where they bank and hold their investments.

"If they breach the site, everyone's information is on there already – regardless of whether they have ever filed taxes online," says Mark Goodfield, a tax accountant and managing partner with Cunningham LLP in Toronto.

Accountants regularly access financial information from the tax agency's website to put together tax returns for their clients, he said. "But you if have never set up an online account or given an accountant permission to access your information online, I don't know if it would be vulnerable."

Robin Taub, owner of Robin Taub Financial Consulting, noted that the CRA servers hold Canadians' most sensitive information. "This is really scary because the CRA has your social insurance number, your date of birth, your financial information, basically everything someone would need to steal your identity or commit fraud," he said.

Governments and companies around the world are scrambling to patch a major vulnerability that became widely known only this week. There is no evidence to indicate the weakness has been exploited, however security experts say the problem is that there is no way to trace whether someone has used the opening to steal sensitive information.

The Canada Revenue Agency shut down its electronic filing services Tuesday evening and said in an updated statement Thursday that the April 30 filing deadline will be extended by the same duration as the shutdown.

"In keeping with industry practice, we are currently implementing a solution, or 'patch,' for the bug, and are vigorously testing all systems to ensure they will be safe and secure once the site is relaunched," a note on the CRA's website said.

A spokeswoman for Revenue Minister Kerry-Lynne Findlay said Thursday that services will be back up soon. "CRA is currently working on a remedy for restoring online services and, at this time, anticipate that services will resume soon," said Rebecca Rogers in an e-mail.

Other departments are also looking into the issue, but it is not clear what actions have been taken.

A spokesperson for Shared Services Canada – which manages a wide-range of programs like payroll and IT for numerous federal departments – said in a statement that it "is working with departments and Public Safety Canada to assess all IT systems and to apply solutions as required."