The Canada Revenue Agency headquarters in Ottawa is shown on Friday, November 4, 2011. Like other Canadian charities, the British Columbia SPCA is hoping that more people will take advantage of a new tax credit for first-time donors and be inspired to keep giving year after year. THE CANADIAN PRESS/Sean Kilpatrick The Canadian Press
The Canada Revenue Agency has shut down the public access portion of its website due to the Heartbleed bug.
The bug is a recently discovered vulnerability in a version of OpenSSL security software code that is installed on two-thirds of the active servers connected to the internet.
Installed on about two-thirds of the active websites on the Internet today, OpenSSL was believed to be comparatively safe and secure. But the Heartbleed vulnerability could allow a malicious user to read the memory of affected systems by mimicking the look of an authorized user, which would give the hacker access to sensitive information on any server with the buggy code installed.
"Essentially, they'd get a second key to your house and can walk in whenever they want," technology analyst Carmi Levy told CBC News in describing the bug on Wednesday. "Right now, server owners around the world are busy fixing that. They're trying to patch a fix to close that vulnerability."
There's an easy patch to fix the code, but it must be installed on systems retroactively. And it's very difficult to track whether any unauthorized users have accessed the loophole before it was fixed.
The tax agency announced the shutdown of the public portion of its website in a note on the site late Tuesday, but provided little detail, saying the move was done as a precaution. The move affects online tax-return filing services such as EFILE and NETFILE and also online access to account information for individuals and businesses.
"To protect the security of taxpayer information, we have temporarily shutdown public access to our electronic services. We are working to restore these services as soon as possible in a manner that ensures they are safe and secure," the website read.
The agency later confirmed to CBC News in an email that the shutdown is related to the Heartbleed bug. "We will provide further information and daily updates at [3 p.m. eastern time] on our home page until the situation is resolved," the tax agency said.
Revenue Minister Kerry-Lynne Findlay told reporters the agency learned of the website vulnerability Tuesday night and CRA officials worked through the night on the issue.
"Obviously, we deal with very sensitive and personal taxpayer information on a daily basis and so we want, as a precautionary measure, to make sure that our systems are functioning and back up as soon as possible. We know it's a difficult time being tax-filing season for Canadians," Findlay said, adding, "We're on top of this."
Asked whether Canadians who have already filed their tax returns should be worried about their information, Findlay repeated that the CRA shutdown was a precautionary measure and officials are "working on it."
NDP attacks Conservative priorities
The NDP attacked the government's response to the threat, saying it shows the government doesn't put a priority on management of public services.
"The Conservatives are such poor public managers that they can't deliver the grain, they can't even deliver the mail and now at tax time they can't even communicate with Canadians through the revenue agency," NDP Leader Tom Mulcair told reporters on Parliament Hill.
"They've made [public services] their lowest priority and it's not surprising that we see it breaking down."
Liberal Leader Justin Trudeau called on the government to act quickly to solve the problem.
"I think it's extremely important that we understand that security is not just bricks and mortar any more," Trudeau told reporters.
"Technology and information security is going to be a huge area of concern in the 21st century and we have to make sure that our various agencies, particularly ones dealing with sensitive data as the CRA, are keeping up with the need to protect Canadians in virtual ways, as well as the other agencies who protect us in physical ways, and I look forward to answers from the government in the days and weeks to come."
The department of public safety first posted an advisory Tuesday warning of the OpenSSL vulnerability, saying the Canadian Cyber Incident Response Centre was aware the security flaw "could allow a remote attacker to decrypt secure (internet) traffic."
The advisory said CCIRC, the agency within Public Safety that helps protect Canada's electronic infrastructure from cyber attacks, was recommending "system administrators test and deploy" security updates to "affected platforms."
The U.S Department of Homeland Security issued its first advisory about Heartbleed on Monday.
The statement posted on the CRA website said consideration will "be given to taxpayers who are unable to comply with their filing requirements because of this service interruption."
The 2014 deadline for personal income tax filing for the 2013 tax year is at the end of this month.
The CRA tweeted a few days ago that 1,763 online returns were being processed per minute. More than 6.7 million Canadians have filed tax returns electronically as of March 24. That represents almost 84 per cent of returns.