Skip to main content
The Globe and Mail
Support Quality Journalism.
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to
Just $1.99per week for the first 24weeks
Just $1.99per week for the first 24weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); } //

File picture illustration of the word 'password' pictured through a magnifying glass on a computer screen, taken in Berlin May 21, 2013.


All Canadian federal departments using software vulnerable to the Heartbleed bug have been ordered to immediately disable public websites, while the U.S. government warned Friday that hackers were probing networks for the security weakness in targeted attacks.

Canada's directive issued late Thursday calls this a precautionary measure until the "appropriate security patches are in place and tested."

(Read The Globe's explainer of how Heartbleed works and what passwords might be most at risk.)

Story continues below advertisement

It was not clear on Friday morning how many websites have been disabled, what departments and agencies are affected or how widespread the potential threat is.

Officials at Treasury Board were not responding to media requests for comment.

Chief Information Officer Corinne Charette directed all federal departments to disable websites that are running unpatched OpenSSL software.

Ms. Charette said in a statement issued through the Treasury Board that while disruptive, "this is the best course of action to protect the privacy of Canadians." The statement adds that until measures are applied, "Canadians will be unable to access certain Government of Canada websites."


The Canadian government's directive was the latest of several precautions governments around the world are taking to counter the risks of Heartbleed, which exploits a common encryption program, OpenSSL, making password information potentially vulnerable to hackers.

United States: The U.S. government issued a warning Friday to banks and infrastructure operators that hackers were attempting to exploit Heartbleed in targeted attacks by scanning networks to see if they are vulnerable. It asked organizations to report any Heartbleed-related attacks to Department of Homeland Security in an advisory on the agency's website.

Story continues below advertisement

Germany: The German government released an advisory on Friday that echoed Washington's, describing the bug as "critical."

Canada Revenue Agency: On Wednesday, the Canada Revenue Agency closed its filing system and pushed back the April 30 deadline for online returns until after the security risk is resolved. The CRA called the move precautionary, saying there is so far no evidence of a breach. A spokeswoman for Revenue Minister Kerry-Lynne Findlay said Thursday that services will be back up soon. The services affected by the CRA's shutdown shutdown include EFILE, NETFILE and My Account, where taxpayers track their refunds or check their RRSP limit.

Prince Edward Island: On Thursday, Prince Edward Island's Workers' Compensation Board shut its website as a precaution, and gave users an automatic prompt to change their passwords.

Alberta: "At this point safety and confidentiality haven't been compromised," said Jessica Jacobs-Mino, a spokeswoman for Alberta Treasury Board and Finance. "We're definitely monitoring the situation and taking initial measures such as updating and putting in defences."

Ontario: The provincial government said on Thursday its web system does not appear to have been disrupted. "As of right now, our Cyber Security Team has not seen any data, personal information or servers compromised as a result of the software flaw that has affected the federal government, and all Ontario government sites remain operational," Ann Doose, spokeswoman for the Ministry of Government Services, said in an e-mail. "As you are aware, like many organizations, the Ontario government does use OpenSSL software and is aware of the reported software flaw. As a result, Government IT experts immediately looked into the matter, and are working to ensure that all data and information remains protected. Government IT experts continue to prioritize updating the software which software experts have assured us will fix the flaw."


Story continues below advertisement

The federal Liberal Treasury Board and Public Works critic, Gerry Byrne, suggested the government should to be more transparent about the bug and what is being done to protect sensitive data from any threat.

"It does seem to be a little more widespread and more prevalent of a risk than was first communicated," he said about the government directive. "It's incumbent upon the government to issue clear, concise, factual statements to avoid the level of concern being raised unnecessarily."

"The response [by the other departments besides Canada Revenue Agency] has been more opaque than it needs to be," said Mark Nunnikhoven, a former information-technology security expert with the federal government.

A smart move would be for the government to provide separate updates on the situation to the users of its various services rather than putting out a blanket advisory, said Mr. Nunnikhoven, vice-president of cloud and emerging technologies at Trend Micro.

"In a situation like this you need to be constantly in communication with your users."


Story continues below advertisement

The online news site Mashable has an extensive list of other affected sites. They suggested immediately change the passwords if you use:

  • Facebook
  • Gmail (or other Google services)
  • Tumblr
  • Yahoo mail
  • GoDaddy
  • Intuit (TuboTax)
  • Dropbox
  • LastPass
  • OkCupid
  • Soundcloud

The Canadian Bankers Association said the online banking operations of the country's banks have not been hit by the bug, thanks to their sophisticated security systems and active monitoring. Toronto-Dominion Bank said it "has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk."

Air Canada said Wednesday that it wasn't affected, while WestJet Airlines Ltd. said the airline has taken no special action. "We've assessed our systems in light of this bug and determined that thanks to a number of existing security features, our risk is low," WestJet spokesman Robert Palmer said.

Wal-Mart Canada said the version of the software it runs on its site has not been hit by the security issue, while, Indigo Books & Music Inc. and Rogers Communications Inc. said they weren't affected. Nor was medical testing lab LifeLabs Medical Laboratory Services.

Bertrand Marotte, with reports from Reuters, The Canadian Press, Bill Curry, Tu Thanh Ha, Shane Dingman, Roma Luciw and Richard Blackwell

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies