Skip to main content

The Globe and Mail

As Heartbleed bug wreaks havoc, Corporate Canada touts e-security

Researchers have identified a potential security threat in the encryption technology that is supposed to protect online accounts for e-mails, instant messaging and a wide range of electronic commerce.

PEDRO NUNES/iSTOCKPHOTO

The Heartbleed security bug has sent a chill through the world of e-commerce, even though most companies that count on the Internet to do business say they have put fixes in place to make sure they are not vulnerable.

While the bug has been around for as long as two years, the issue came to a head Wednesday when the Canada Revenue Agency (CRA) said it had blocked public access to its online services because of concerns over potential security breaches.

The flaw in OpenSSL, a common encryption technology, can expose passwords and personal information to hackers.

Story continues below advertisement

Many Canadian firms with widely used Internet sites said they have already dealt with the problem, or they haven't been affected, so clients shouldn't worry. Accountants who file client tax returns, however, are apoplectic about the CRA shutdown.

The Canadian Bankers Association said the online banking operations of the country's banks have not been hit by the bug, thanks to their sophisticated security systems and active monitoring. Toronto-Dominion Bank said it "has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk."

The two biggest airlines weren't hit either. Air Canada said it wasn't affected, while WestJet Airlines Ltd. said the airline has taken no special action. "We've assessed our systems in light of this bug and determined that thanks to a number of existing security features, our risk is low," WestJet spokesman Robert Palmer said.

Wal-Mart Canada said the version of the software it runs on its site has not been hit by the security issue, while Amazon.ca, Indigo Books & Music Inc. and Rogers Communications Inc. said they weren't affected. Nor was medical testing lab LifeLabs Medical Laboratory Services.

Others, such as Manulife Financial Corp., would not comment about security issues. Sun Life Financial Inc. would say only that "security and safety remain a top priority for the organization."

American companies were more forthcoming, although few admitted to widespread security breaches.

A spokesman for Facebook Inc. said it had added protection to its version of OpenSSL before the issue was publicly disclosed, adding that individual users should still be vigilant about their passwords. "We haven't detected any signs of suspicious account activity that would suggest a specific action," he said.

Story continues below advertisement

At Yahoo Inc., which was hit, the company has now "successfully made the appropriate corrections across our entire platform," a spokesperson said.

Google Inc. said it "fixed this bug early" and users do not need to change their passwords. Still, while the patches have been make to all the key Google services such as its search function, Gmail and YouTube, the company acknowledged that some other services still need to be fixed.

Meanwhile, Canadian accountants were scrambling to deal with the temporary shutdown of the CRA website because of the bug, just three weeks ahead of the April 30 deadline for filing personal income tax returns.

"This is crazy. We can not e-file any returns today, which is definitely delaying things on our end," said Wayne Bewick, a chartered professional accountant with Trowbridge Professional Corp. in Toronto, who estimates that 70 per cent of the firm's filing is done over the Internet.

In a statement on its website, the CRA said that it anticipates that services will resume "over the weekend," and that "individual taxpayers will not be penalized for this service interruption." It did not give any details as to whether it would extend the deadline or by how long.

"The timing is insanely terrible. Because we are getting into the heart of tax season now," Mr. Bewick said, adding that even a four- or five-day delay in getting the site back up and running safely would be "a hassle."

Story continues below advertisement

Mr. Bewick said the CRA would likely "extend the e-filing deadline as well so that there will likely be an additional week to get things done."

In addition to not being able to file taxes electronically, accountants use the tax agency's website to find information about their clients, such as their Registered Retirement Savings Plan contribution limits, their T4 slips and pension details.

"For accountants, this is a big deal because we use this site regularly," said Mark Goodfield, a tax accountant and managing partner with Cunningham LLP in Toronto. "So it hampers us."

Robin Taub, a CPA, CA and owner of Robin Taub Financial Consulting, said that undoubtedly, some companies are frustrated. "This affects a lot of people because the personal filing tax deadline is soon, but this also affects corporations and people who own businesses."

Many business owners use the CRA site to access their GST/HST, payroll, and other accounts online, Ms. Taub said. "The scope goes beyond the personal tax filing deadline."

The shutdown of the site is inconvenient, she said. "But in a way, this would be the best outcome – inconvenience – as opposed to identity theft or fraud."

With files from reporters Tim Kiladze, Bertrand Marotte and Marina Strauss

Report an error Licensing Options
About the Authors
Reporter, Report on Business

Richard Blackwell has reported on Canadian business for more than three decades. At the Financial Post and the Globe and Mail he has covered technology, transportation, investing, banking, securities and media, among many other subjects. Currently, his focus is on green technology and the economy. More

Personal Finance Web Editor

Roma Luciw is the Globe and Mail’s personal finance editor. She has worked at the Globe as a business journalist since 2001, covering stock markets, breaking news, and most recently anything that helps regular Canadians manage their own money. More

Comments

The Globe invites you to share your views. Please stay on topic and be respectful to everyone. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

We’ve made some technical updates to our commenting software. If you are experiencing any issues posting comments, simply log out and log back in.

Discussion loading… ✨

Combined Shape Created with Sketch.

Combined Shape Created with Sketch.

Thank you!

You are now subscribed to the newsletter at

You can unsubscribe from this newsletter or Globe promotions at any time by clicking the link at the bottom of the newsletter, or by emailing us at privacy@globeandmail.com.