Skip to main content

The Globe and Mail

Security risk not limited to those who have filed tax return online

The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called Heartbleed.

Mark Blinch/Reuters

Canadians who have never filed their taxes online might believe they are safe from the Heartbleed bug that hit websites around the world and shuttered the Canada Revenue Agency's site over security concerns.

They could be wrong, say tax specialists. Any individual or business who has employed a tax accountant in the past two years – or has simply created an online profile on the Canada Revenue website, has potentially been exposed.

Accountants regularly access the CRA website for pieces of tax information their clients might be missing, such as RRSP contribution room. The sensitive information the agency stores includes people's salaries, social insurance numbers as well as where they bank and hold their investments.

Story continues below advertisement

"If they breach the site, everyone's information is on there already – regardless of whether they have ever filed taxes online," says Mark Goodfield, a tax accountant and managing partner with Cunningham LLP in Toronto.

Accountants regularly access financial information from the tax agency's website to put together tax returns for their clients, he said. "But you if have never set up an online account or given an accountant permission to access your information online, I don't know if it would be vulnerable."

Robin Taub, owner of Robin Taub Financial Consulting, noted that the CRA servers hold Canadians' most sensitive information. "This is really scary because the CRA has your social insurance number, your date of birth, your financial information, basically everything someone would need to steal your identity or commit fraud," he said.

Governments and companies around the world are scrambling to patch a major vulnerability that became widely known only this week. There is no evidence to indicate the weakness has been exploited, however security experts say the problem is that there is no way to trace whether someone has used the opening to steal sensitive information.

The Canada Revenue Agency shut down its electronic filing services Tuesday evening and said in an updated statement Thursday that the April 30 filing deadline will be extended by the same duration as the shutdown.

"In keeping with industry practice, we are currently implementing a solution, or 'patch,' for the bug, and are vigorously testing all systems to ensure they will be safe and secure once the site is relaunched," a note on the CRA's website said.

A spokeswoman for Revenue Minister Kerry-Lynne Findlay said Thursday that services will be back up soon. "CRA is currently working on a remedy for restoring online services and, at this time, anticipate that services will resume soon," said Rebecca Rogers in an e-mail.

Story continues below advertisement

Other departments are also looking into the issue, but it is not clear what actions have been taken.

A spokesperson for Shared Services Canada – which manages a wide-range of programs like payroll and IT for numerous federal departments – said in a statement that it "is working with departments and Public Safety Canada to assess all IT systems and to apply solutions as required."

Report an error Licensing Options
About the Authors
Personal Finance Web Editor

Roma Luciw is the Globe and Mail’s personal finance editor. She has worked at the Globe as a business journalist since 2001, covering stock markets, breaking news, and most recently anything that helps regular Canadians manage their own money. More

Parliamentary reporter

A member of the Parliamentary Press Gallery since 1999, Bill Curry worked for The Hill Times and the National Post prior to joining The Globe in Feb. 2005. Originally from North Bay, Ont., Bill reports on a wide range of topics on Parliament Hill, with a focus on finance. More

Comments

The Globe invites you to share your views. Please stay on topic and be respectful to everyone. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

We’ve made some technical updates to our commenting software. If you are experiencing any issues posting comments, simply log out and log back in.

Discussion loading… ✨

Combined Shape Created with Sketch.

Combined Shape Created with Sketch.

Thank you!

You are now subscribed to the newsletter at

You can unsubscribe from this newsletter or Globe promotions at any time by clicking the link at the bottom of the newsletter, or by emailing us at privacy@globeandmail.com.