— Updated at 3:16 p.m. ET —
The Canada Revenue Agency expects public access to its electronic services including EFILE and NETFILE will resume this weekend after the agency shut them down early Wednesday due to security concerns.
In a message posted to its website Wednesday afternoon, the CRA said it first learned of the so-called “Heartbleed Bug” early Tuesday and as a preventative measure temporarily shut down public access to EFILE, NETFILE, My Account, My Business Account and Represent a Client.
Heartbleed Bug is the name given to a vulnerability in certain versions of OpenSSL, the open-source software package broadly used to encrypt web communications. The flaw opens the door to hackers looking to access user data that would otherwise be protected.
“We are currently working on a remedy for restoring online services and, at this time, anticipate that services will resume over the weekend,” the CRA message said.
It went on to say that “individual taxpayers will not be penalized for this service interruption” but didn’t go so far as to say the April 30 tax deadline would be extended. As of the end of March, the CRA had received 6.7 million returns, with 84% filed electronically.
It’s also unclear whether any Canadian taxpayer data was compromised due to Heartbleed. “We continue to investigate any potential impacts to taxpayer information, and to be fully engaged in resolving this matter and restoring online services as soon as possible in a manner that ensures the private information of Canadians remains safe and secure.”
- For more on what the CRA might do next, read Evelyn Jack’s blog post for the Knowledge Bureau.
While you can’t file with the CRA via EFILE and/or NETFILE until service is restored, you may wish to prepare your tax return while you wait. Desktop applications are not affected by Heartbleed. If however you’re using one of the NETFILE-certified online based solutions listed here, it’s worth checking in with the Heartbleed test tool before you start to prepare your tax return see if your program of choice may be affected. (If you’ve already prepared your taxes using a web-based tool, it might be a good time to change your password, just as a precaution.) Tax Chopper, EachTax, AdvTax and SimpleTax have already confirmed with MoneySense that their free, online based programs have not been affected by Heartbleed.
According to openssl.org, a fixed version of OpenSSL was released Monday for service providers and users to install.
Popular online services that had been running the affected versions of OpenSSL leaving them susceptible to Heartbleed attackers included Yahoo, Flickr, Tumblr, WeTransfer among others, according to Gizmondo. Yahoo says it has patched the problem but users are being urged to change their passwords. It’s still unclear if user data was actually stolen.
–With files from The Canadian Press