CRA cuts off electronic access over security concerns
OTTAWA - A major international security concern has forced the shutdown of electronic filing services at the Canada Revenue Agency, and there are concerns the problem could affect other government systems as well.
The tax agency temporarily cut off public access to its electronic services Wednesday, saying the action was taken as a precaution.
"We have received information concerning an Internet security vulnerability named the Heartbleed Bug,'' the agency said in a statement posted on its website.
"As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold.''
The shutdown came after the Canadian Cyber Incident Response Centre (CCIRC) issued a warning to system administrators about the coding flaw. It recommended that system operators unable to plug in an immediate fix get off the grid.
The affected services at CRA include EFILE, NETFILE, My Account, My Business Account and Represent a Client.
It was unclear just how long it might take to ensure the agency's computers are secure, but Revenue Minister Kerry-Lynne Findlay indicated it could be some time before the system was back up and running, noting that the agency would post updated information on its website "daily.''
"We're investigating, we're working on it,'' Findlay told reporters.
Toronto tax litigation and planning lawyer David J. Rotfleisch tells AdvocateDaily.com that this issue will primarily affect individuals rather than corporations. Most personal returns are filed electronically using EFILE, either by individuals or by accountants, he says, while many corporate returns are paper-filed and due three or six months after their year-end.
“No returns can be filed electronically until the problem is resolved. It also means that once it is resolved, there will be a backlog of returns that may cause difficulties with the site. For accountants, it means that they will have an inventory of completed returns that cannot be filed and will have to be dealt with later on," says Rotfleisch, founding tax lawyer at Rotfleisch & Samulovitch Professional Corporation.
“In previous years, the CRA has had to extend the electronic filing deadline due to website bottlenecks. It is very likely that the CRA will extend the filing deadline and probably the due date for payments," he adds.
However long it takes, the revenue agency tried to reassure tax filers Wednesday, suggesting that people unable to file on time as a result of the shutdown would not be penalized.
"Please note that consideration will also be given to taxpayers who are unable to comply with their filing requirements because of this service interruption,'' the agency said on its website.
It is a busy time of year for the tax agency, as people file returns electronically and track the progress of refunds online.
As of the end of March, the agency had received 6.7 million returns, with 84 per cent filed electronically.
The computer bug was reportedly detected last week by Internet security experts in Finland and researchers at Google, but only revealed widely within the online security community on Monday.
Heartbleed affects open-source software called OpenSSL that's at the very core of millions of applications used to encrypt Internet communications.
And experts warn that its impact on consumers could be significant.
It can reveal the contents of a computer server's memory, including private data such as user names, passwords, and credit card numbers.
As Canada's tax collection agency was making the decision to go offline, a number of large websites, such as Google, Facebook and Yahoo said that they were either fixing the problem or had already dealt with the threat.
Canada's major banks were also scrambling to reassess their systems, with at least two assuring clients that measures were in place to prevent any loss of information.
"TD already has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk,'' said Barbara Timmins, a spokeswoman at TD Bank Group.
"While we don't recommend any specific actions to TD customers as a result of this vulnerability, we always recommend that customers change their passwords regularly,'' she added.
"That said, TD has intelligent and multi-layered authentication, so there are multiple safeguards in place to protect customers.''
RBC spokesman Jason Graham added that while the bank takes every threat seriously, RBC websites "have not been affected by the Heartbleed security bug.''
While the problem is international in nature, Opposition NDP Leader Tom Mulcair was quick to pounce on the Harper Conservatives for failing to adequately protect and provide services to Canadians.
"The Conservatives are such poor public managers that they can't deliver the grain, they can't even deliver the mail and now at tax time they can't even communicate with Canadians through the revenue agency,'' Mulcair said.
Liberal Leader Justin Trudeau, however, was prepared to cut the Tories some slack, saying he would support any measures needed to battle the bug.
- With files from AdvocateDaily.com