Frequently asked questions: Heartbleed

1. What is the Heartbleed Bug?

The Heartbleed bug is a security vulnerability that has been found in the software that many sites around the world use, such as social media sites, company websites and commerce sites, to encrypt your user name, password and/or financial information when you log into "secure" websites. This software is called OpenSSL. This bug has the potential to expose private data. The CRA uses OpenSSL to authenticate users of its e-services.

After careful consideration, and as a precautionary measure, the CRA temporarily shut down all electronic systems, including My Account, My Business Account, Represent a Client, EFILE and NETFILE until we were assured our systems could be brought back online safely and securely.

2. How can we be sure that the solution the CRA has used to address this security vulnerability is safe?

It is a standard industry practice for software companies to provide solutions, called “patches”, when a bug is found in their software. The Heartbleed patch has been proven effective, it has been vigorously tested following application to CRA systems, and the CRA is confident that our systems remain safe and secure.

3. What do I do when the CRA’s e-services are back online? Will my tax filing software still work properly with CRA’s systems?

All tax filing software will continue to interact normally with our systems.

4. Should I change my password and user ID?

Given that the “patch” is now in place, Canadians are encouraged to change their user ID and password. While taxpayers can continue to safely log on with their current user ID and password, it is good practice to change your password periodically. Anyone logging in from a computer that was not previously used to log on will be subject to additional screening requirements, as is normal procedure with CRA secure accounts.

To change your password and to manage or view any of the following CRA security options, you must first login to a service. Once you have logged in, you can access these options on the "Last CRA login" page.

Manage options:

  • Change my user ID
  • Change my password
  • Change my security questions and answers
  • Update my additional security feature
  • Revoke my CRA user ID

View options:

  • View the Terms and conditions of use
  • View my CRA login history for this user ID

5. How will the CRA prevent this from happening again?

The world of information technology is one in which changes happen quickly. In recognition of this, the CRA collaborates closely with government and private sector partners, and stays abreast of the most recent industry developments—which is why we were able to respond quickly to Heartbleed, once the problem became known.

6. I’m waiting for my refund. Will this service interruption delay it?

Tax returns filed continue to be processed normally. Taxpayers should not expect a delay in getting their refund.

7. I’ve recently filed my tax and benefit return with the CRA. How do I know if the CRA received my submission? Do I need to re-file?

Taxpayers and the CRA have certainty on the filing of returns through a confirmation code that is issued only upon successful transmission. If you did receive a code, your return was successfully filed. You can also check the status of your return on My Account.

8. If the service interruption prevented me from filing on time, will I be penalized?

Recognizing that the service interruption lasted five days, the Minister of National Revenue has announced that interest and penalties will not be applied to individual taxpayers filing their 2013 tax returns after April 30, 2014 for a period equal to the length of this service interruption. This means individual tax returns for 2013 filed on or before May 5, 2014 will not incur interest or penalties.

Date modified: