Heartbleed bug causes Canada Revenue Agency to shut down online tax filing

The headquarters of the Canada Revenue Agency is photographed in Ottawa, November 4, 2011. (Chris...

The headquarters of the Canada Revenue Agency is photographed in Ottawa, November 4, 2011. (Chris Roussakis/QMI Agency)

Kate Schwass-Bueckert, QMI Agency

, Last Updated: 6:17 AM ET

The Canadian Revenue Agency (CRA) expects services to resume by the weekend after the discovery of a bug that could be used to steal personal information.

The CRA shut down public access to its web services Wednesday morning, affecting people who want to file their taxes online ahead of the April 30 deadline.

The CRA said that "interest and penalties will not be applied to individual taxpayers filing their 2013 tax returns after April 30, 2014, for a period equal to the length of this service interruption.”

The CRA said the move was a preventative measure after it received information about the bug called Heartbleed, found in widely used web-encryption technology and considered one of the most serious security flaws uncovered in recent years.

The bug is an error in the coding of the software that could be exploited by hackers, giving them access to data, including recent transactions, such as tax returns with personal information.

It was discovered by an Internet security firm, but it's unclear if any hackers have taken advantage of it.

Seth Hardy, a senior security researcher at the Citizen Lab at the Munk School of Global Affairs at the University of Toronto said even though it's "a very small error in the program," it's clearly not a quick fix.

"This is a major vulnerability," he said.

While some websites vulnerable to the bug will be able to apply a patch and carry on with business, companies and organizations with multiple servers will need to first test the patch on one server and do testing, then slowly roll it out across the system.

A place like the CRA would need to ensure the system is back in perfect working order before allowing the public back on.

"The biggest thing is they've taken pro-active measures," Hardy said.

The CRA posted a notice on its website Wednesday morning.

"We are working to restore these services as soon as possible in a manner that ensures they are safe and secure," the notice reads.

The shutdown includes services such as efile, netfile, accessing accounts and areas for accountants.

"The CRA recognizes that this problem may represent a significant inconvenience for individual Canadians, representatives and businesses that count on the CRA for online information and services. Please be assured that we are fully engaged in resolving this matter and restoring online services as soon as possible in a manner that ensures the private information of Canadians remains safe and secure," the agency said in a press release.

It also promised to investigate potential data and information leaks.

In a release March 31, the CRA said of 6.7 million returns it had received this year, 84% were filed electronically.

"Electronic filing is quickly becoming the norm, as taxfilers discover how convenient, easy, and secure online filing is."


Photos