CRA restores online service after shutdown to investigate security concerns

Dec 13 2021, 6:53 pm

The world is scrambling to investigate and respond to a newly discovered security vulnerability in a widely used web server software.

Now, the CRA has restored most online services after taking them offline while working to secure its systems against potential threats, and Canadians trying to log in to their online CRA account found that sign-in services were unavailable over the weekend.

“The Government of Canada became aware of the Apache Log4j vulnerability on Friday, December 10, 2021,” Christopher Doody from CRA Media Relations told Daily Hive by email on Monday, December 13, by which time most digital services had been restored.

“As a precautionary measure, the CRA disabled access to its digital services, such as My Account, My Business Account and Represent a Client, in order to protect taxpayer information and CRA systems against potential threats.”

Since the discovery of the Apache vulnerability, there hasn’t been any indication that CRA systems were compromised. There’s also no indication that there was any unauthorized access to taxpayer information related to the vulnerability.

“We wish to reiterate that this situation is not unique to the CRA, and it is the result of a broader security vulnerability that is impacting organizations around the world,” said the CRA.

The vulnerability, called CVE-2021-44228 or Log4Shell, is in Apache’s web server software library. It is unique in that it has the potential to give attackers relatively easy access to compromise any vulnerable machine.

The CRA has shut down user access due to cybersecurity concerns in the past to protect Canadians.

Now, almost all services have been restored, with the exception of order forms and publications. While services are unavailable, Canadians can contact the CRA for assistance, and all service updates will be made available online.

Sarah AndersonSarah Anderson

+ News
+ Canada