With just over two weeks to go before the April 30 tax deadline, the Canada Revenue Agency has shut down parts of its website over security concerns around the newly-discovered Heartbleed vulnerability.
A notice on the CRA’s public site informed users of the shutdown, one it describes as a precaution. “To protect the security of taxpayer information, we have temporarily shutdown public access to our electronic services. We are working to restore these services as soon as possible in a manner that ensures they are safe and secure,” the CRA stated.
More than 6.7 million taxpayers have already filed their tax returns online since March 24. That number represents almost 84 per cent of expected tax returns. Before the shutdown, it was estimated that nearly 2,000 returns were being filed every minute through the site.
More people were expected to flood the CRA site in these next two weeks, but today visitors to the site were met with an red box with an exclamation point and the words: “Heading” and “message.”
Clicking on the box brings visitors to another page with a message that reads:
“To protect the security of taxpayer information, we have temporarily shut down public access to our electronic services. We are working to restore these services as soon as possible in a manner that ensures they are safe and secure.”
The development closely follows the discovery earlier this week of a massive vulnerability in OpenSSL, the open sourced software used to encrypt online communications. The bug, which has been called Heartbleed, allows attackers to steal information protected by SSL/TLS encryption which is employed in email communications, instant messaging, Web apps and virtual private networks.
The CRA later told the CBC News in an email that the site shutdown is related to the Heartbleed Bug. A spokesperson for the CRA said the agency is now investigating potential impact to taxpayers’ personal data.
Early last month, the CRA’s Web site also issued a warning to users that Canadians are being targeted by bogus emails and phone calls from persons posing as agency personnel.
Heartbleed isn’t the only security issue the tax man is experiencing. Early last month, the CRA’s Web site also issued a warning to users that Canadians are being targeted by bogus emails and phone calls from persons posing as agency personnel. Earlier this week the CRA also reported that over the past year it fired 14 of its employees and suspended another 18 due to unauthorized access of the agency’s computer files.
Federal agencies and departments have been in the spot light lately for failing to effectively protect private and personal information of Canadian citizens and residents.
During the period between April 1, 2013 and January 29, 2014, federal departments and agencies reported no less than 3,763 data breaches including incidents where taxpayers’ information were lost, compromised or mistakenly released, according to a report by the Privacy Commissioner’s Office. That figure is slightly higher than the 3,000 data breaches reported by the government in the last 10 years, according to the report
Most recent figures show that the CRA reported 2,983 data breach incidents during the reporting period. About 120 of the cases stemmed from theft or loss of data or information being compromised.
To test a website for the Heartbleed vulnerability, check out this tool.