Skip to main content

Researchers have identified a potential security threat in the encryption technology that is supposed to protect online accounts for e-mails, instant messaging and a wide range of electronic commerce.

PEDRO NUNES/iSTOCKPHOTO

The Heartbleed security bug has sent a chill through the world of e-commerce, even though most companies that count on the Internet to do business say they have put fixes in place to make sure they are not vulnerable.

While the bug has been around for as long as two years, the issue came to a head Wednesday when the Canada Revenue Agency (CRA) said it had blocked public access to its online services because of concerns over potential security breaches.

The flaw in OpenSSL, a common encryption technology, can expose passwords and personal information to hackers.

Story continues below advertisement

Many Canadian firms with widely used Internet sites said they have already dealt with the problem, or they haven't been affected, so clients shouldn't worry. Accountants who file client tax returns, however, are apoplectic about the CRA shutdown.

The Canadian Bankers Association said the online banking operations of the country's banks have not been hit by the bug, thanks to their sophisticated security systems and active monitoring. Toronto-Dominion Bank said it "has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk."

The two biggest airlines weren't hit either. Air Canada said it wasn't affected, while WestJet Airlines Ltd. said the airline has taken no special action. "We've assessed our systems in light of this bug and determined that thanks to a number of existing security features, our risk is low," WestJet spokesman Robert Palmer said.

Wal-Mart Canada said the version of the software it runs on its site has not been hit by the security issue, while Amazon.ca, Indigo Books & Music Inc. and Rogers Communications Inc. said they weren't affected. Nor was medical testing lab LifeLabs Medical Laboratory Services.

Others, such as Manulife Financial Corp., would not comment about security issues. Sun Life Financial Inc. would say only that "security and safety remain a top priority for the organization."

American companies were more forthcoming, although few admitted to widespread security breaches.

A spokesman for Facebook Inc. said it had added protection to its version of OpenSSL before the issue was publicly disclosed, adding that individual users should still be vigilant about their passwords. "We haven't detected any signs of suspicious account activity that would suggest a specific action," he said.

Story continues below advertisement

At Yahoo Inc., which was hit, the company has now "successfully made the appropriate corrections across our entire platform," a spokesperson said.

Google Inc. said it "fixed this bug early" and users do not need to change their passwords. Still, while the patches have been make to all the key Google services such as its search function, Gmail and YouTube, the company acknowledged that some other services still need to be fixed.

Meanwhile, Canadian accountants were scrambling to deal with the temporary shutdown of the CRA website because of the bug, just three weeks ahead of the April 30 deadline for filing personal income tax returns.

"This is crazy. We can not e-file any returns today, which is definitely delaying things on our end," said Wayne Bewick, a chartered professional accountant with Trowbridge Professional Corp. in Toronto, who estimates that 70 per cent of the firm's filing is done over the Internet.

In a statement on its website, the CRA said that it anticipates that services will resume "over the weekend," and that "individual taxpayers will not be penalized for this service interruption." It did not give any details as to whether it would extend the deadline or by how long.

"The timing is insanely terrible. Because we are getting into the heart of tax season now," Mr. Bewick said, adding that even a four- or five-day delay in getting the site back up and running safely would be "a hassle."

Story continues below advertisement

Mr. Bewick said the CRA would likely "extend the e-filing deadline as well so that there will likely be an additional week to get things done."

In addition to not being able to file taxes electronically, accountants use the tax agency's website to find information about their clients, such as their Registered Retirement Savings Plan contribution limits, their T4 slips and pension details.

"For accountants, this is a big deal because we use this site regularly," said Mark Goodfield, a tax accountant and managing partner with Cunningham LLP in Toronto. "So it hampers us."

Robin Taub, a CPA, CA and owner of Robin Taub Financial Consulting, said that undoubtedly, some companies are frustrated. "This affects a lot of people because the personal filing tax deadline is soon, but this also affects corporations and people who own businesses."

Many business owners use the CRA site to access their GST/HST, payroll, and other accounts online, Ms. Taub said. "The scope goes beyond the personal tax filing deadline."

The shutdown of the site is inconvenient, she said. "But in a way, this would be the best outcome – inconvenience – as opposed to identity theft or fraud."

Story continues below advertisement

With files from reporters Tim Kiladze, Bertrand Marotte and Marina Strauss

Report an error Editorial code of conduct
Tickers mentioned in this story
Unchecking box will stop auto data updates
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter