This article exists as part of the online archive for HuffPost Canada, which closed in 2021.

Heartbleed Threat Shuts Down CRA Website

Canada Revenue Agency has shut down public access to its tax-filing data amid reports of a major security flaw in a commonly used code for login services.

Individuals and businesses who have accounts at CRA website, allowing them to track their tax filings, were unable to access the accounts Wednesday morning.

“To protect the security of taxpayer information, we have temporarily shutdown public access to our electronic services,” CRA said in a notice on the site. “We are working to restore these services as soon as possible in a manner that ensures they are safe and secure.”

“We have received information concerning an Internet security vulnerability named the Heartbleed Bug,” the agency said in a statement posted on its website Wednesday morning.

“As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold.”

The affected services include EFILE, NETFILE, My Account, My Business Account and Represent a Client.

The Canadian Bankers Association, which represents some 59 domestic and foreign banks, said Wednesday that the online banking applications of Canadian banks were not affected by the bug.

Canada Revenue said it is working to restore safe and secure access as soon as possible.

CRA also issued a warning on its website Tuesday that phone and email scammers pretending to be CRA representatives are phishing for personal info -- or worse.

“Examples of recent telephone scams involve threatening or coercive language to scare individuals into pre-paying fictitious debt to the CRA. These calls should be ignored and reported to the RCMP,” CRA said.

“People should be especially aware of phishing scams asking for information such as credit card, bank account, and passport numbers. The CRA would never ask for this type information.”

As much as 66 percent of the Web may have been compromised by a newly revealed security flaw called Heartbleed. It affects one implementation of the SSL internet protocol known as OpenSSL.

Every time you log into a website, your login credentials are sent to that website's server. But in most cases those credentials aren't simply sent to the server in plain text -- they're encrypted using a protocol called Secure Sockets Layer, or SSL.

Hackers can exploit a flaw in this code to get raw text from emails, instant messages, passwords, even business documents -- anything a user sends to a vulnerable site's server.

Apparently the security flaw existed for two years before being discovered by researchers.

"Heartbleed is so serious -- it's such a big, bad event -- that almost every major service is scrambling to clean it up as quickly as possible," Matthew Prince, CEO of content delivery network Cloudflare, told The Huffington Post.

-- With files from Betsy Isaacson and The Canadian Press. This story has been updated from its original version.

Also on HuffPost

Ten Common Money Scams

Suggest a correction
This article exists as part of the online archive for HuffPost Canada. Certain site features have been disabled. If you have questions or concerns, please check our FAQ or contact