Canada Revenue Agency says Canadians will not face penalties if they’re late in filing their 2013 tax returns as a result of the 'Heartbleed' bug that forced the shutdown of the agency's website.
Revenue Minister Kerry-Lynne Findlay announced Wednesday afternoon that the fees will not be applied to individuals who file their returns after April 30, 2014 for a period equal to the length of the service interruption.
The website may stay down until the weekend.
The CRA announced Wednesday morning that it had shut down public access to its electronic services over security concerns related to 'Heartbleed' -- a newly discovered software flaw that has made information on many of the world’s major websites vulnerable to theft.
In a message posted on its website, the CRA said that it had temporarily closed its services site “to protect the security of taxpayer information."
The agency said it recognizes that the temporary shutdown is a “significant inconvenience” for Canadians at the height of tax season.
“Recognizing this, the Minister of National Revenue has confirmed that individual taxpayers will not be penalized for this service interruption,” the CRA said.
Findlay said that the site had been closed as a "precautionary measure."
"Last night CRA was made aware that the 'Heartbleed' bug meant that there were some Internet systems vulnerabilities potentially that we should investigate," she told reporters in Ottawa.
She said the agency's IT department was working diligently to investigate and resolve the issue, and that the agency would be working to have the site back up as soon as possible.
"Obviously we deal with very sensitive and personal taxpayer information on a daily basis and so we want to, as a precautionary measure, make sure that our systems are functioning and back up as soon as possible," Findlay said.
Canadians can file their taxes online at the services site, and use CRA services such as EFILE, NETFILE, My Account, My Business Account and Represent a Client. The deadline for filing a 2013 tax return is April 30.
The agency said it will provide an update on the situation daily at 3 p.m. ET on its home page until the situation is resolved.
The bug was discovered in an encryption technology that's commonly used to secure the content of online communications, including emails, financial transactions, instant messaging and social media posts.
The threat is particularly serious because it went undiscovered for more than two years, experts say.
The bug was discovered by researchers at Google and Finnish security firm Codenomicon.
A software fix was released Monday for companies that use OpenSSL, the affected SSL/TLS encryption technology. Security analysts estimate that two-thirds of the servers on the Internet use OpenSSL.
While the software update is a relatively quick process, most companies will have to go through a series of checks to ensure that the change did not hurt any other part of their infrastructure, Ben Sapiro, senior manager at KPMG, told CTV News Channel.
Developer who noticed bug was 'spooked'
Justin Bull, a Toronto-based software developer and security enthusiast, said shortly after learning of ‘Heartbleed’ he checked various online services, including the CRA website.
"CRA wasn't secure and it spooked me quite a bit," Bull told CTV's Power Play on Wednesday.
Bull said it took some time navigating the CRA website to find an appropriate contact. When he reached a representative with e-services technical support Tuesday morning, he claimed that person had not heard of 'Heartbleed.'
"It took 24 hours after my report to turn off services -- maybe more like 18 hours," Bull said. "It could have just taken some time to bubble up from the call centre to the people who need to make the decision."
Bull said he wasn't trying to "penetrate" the CRA website to check for the bug.
"I just ran a few tests that any professional or average person could do to check their safety," he said.
Bull also checked the Service Canada and Elections Canada website, which he found were safe.
He recommended that Canadians should change their passwords once online service administrators have implemented a fix.
"This isn't something the average user can really do,' Bull said. "It's up to system administrators and people who manage these services, like Yahoo, Twitter and Google, it's up to them to the make sure the services we provide to people are safe and secure."
'Heartbleed' could be "catastrophic"
Keith Murphy, the CEO of enterprise security firm Defence Intelligence, said while it's too early to say what information has been hacked as a result of the bug, it could be "potentially catastrophic for the Internet as a whole."
"It could be a mistake that no one took advantage of, or it could be remembered 20 years from now as a monumental moment in the history of the Internet," Murphy told Power Play.
He said the bug is thought to be a mistake in programing and is not currently considered "malicious software."
"The real question from a security perspective is, it took two years for security researchers to discover it. How many bad guys or how many intelligence agencies or governments may have spotted it sooner and what have they done."
With files from The Associated Press and The Canadian Press