CRA restores online service after shutdown to investigate security concerns

The world is scrambling to investigate and respond to a newly discovered security vulnerability in a widely used web server software.

Now, the CRA has restored most online services after taking them offline while working to secure its systems against potential threats, and Canadians trying to log in to their online CRA account found that sign-in services were unavailable over the weekend.

“The Government of Canada became aware of the Apache Log4j vulnerability on Friday, December 10, 2021,” Christopher Doody from CRA Media Relations told Daily Hive by email on Monday, December 13, by which time most digital services had been restored.

“As a precautionary measure, the CRA disabled access to its digital services, such as My Account, My Business Account and Represent a Client, in order to protect taxpayer information and CRA systems against potential threats.”

You might also like:
• Canadians are locked out of their CRA accounts again amidst security concerns
• Over 5,000 CRA accounts the target of a recent cyberattack
• "Just frustrated and worried": Canadians react to mass CRA lockouts

Since the discovery of the Apache vulnerability, there hasn’t been any indication that CRA systems were compromised. There’s also no indication that there was any unauthorized access to taxpayer information related to the vulnerability.

“We wish to reiterate that this situation is not unique to the CRA, and it is the result of a broader security vulnerability that is impacting organizations around the world,” said the CRA.

The vulnerability, called CVE-2021-44228 or Log4Shell, is in Apache’s web server software library. It is unique in that it has the potential to give attackers relatively easy access to compromise any vulnerable machine.

Most of our digital services are now available. This precautionary service disruption was done to protect taxpayer information. We thank Canadians for their patience. For more information, visit: https://t.co/1ZuiXnmX2B pic.twitter.com/emIcfjYCUf

— Canada Revenue Agency (@CanRevAgency) December 13, 2021

The CRA has shut down user access due to cybersecurity concerns in the past to protect Canadians.

Now, almost all services have been restored, with the exception of order forms and publications. While services are unavailable, Canadians can contact the CRA for assistance, and all service updates will be made available online.