The Canada Revenue Agency has become a high-profile casualty in the latest scare over a gaping hole in Internet security.

Canada’s income tax agency said Wednesday that it has cut off public access to a slate of electronic services on its website due to concerns over the so-called Heartbleed Bug — a flaw in widely used encryption software that could leave millions of online passwords and sensitive personal information exposed.

The CRA said it will likely take until the weekend to restore service at its website.

The shutdown — which the CRA called a “preventative measure” — comes just three weeks before the April 30 deadline for Canadians to file personal income tax returns.

It highlights the vulnerability of a steadfast Canadian institution. The prospect of a serious software defect transforms CRA’s electronic records — which hold personal information willingly filed by millions of Canadians taxpayers, such as names, addresses, income and social insurance numbers — into a potential treasure trove for would-be hackers.

“This is a major concern because the type of information that is available in the context of the tax services is extremely private and sensitive,” said Vern Krishna, a law professor at the University of Ottawa and tax counsel at Borden Ladner Gervais LLP.

CRA has stringent confidentiality and privacy rules intended to prevent unauthorized disclosure of tax information, Krishna said.

“Presumably they will be testing the systems to see that they are robust — because, frankly, if they’re not and there has been a massive disclosure, that will undermine confidence in the tax system.”

CRA said in a statement that it will “continue to investigate any potential impacts to taxpayer information.”

It also said Canadians who owe income taxes for 2013 will be exempt from interest and penalties on returns filed after the April 30 filing deadline for a period equal to the length of interruption in service.

That grace period was confirmed by the minister of national revenue.

The Heartbleed Bug scare pulsated through the Internet on Wednesday, with online giants Google, Facebook and Yahoo reporting they either are in the process of fixing the problem or have already dealt with the threat.

The bug affects open-source software called OpenSSL, which lies at the heart of millions of applications used to encrypt Internet communications.

The flaw can reveal the contents of a computer server’s memory — and all the private data that it contains: names, passwords, credit card information — without leaving a trace of the breach. Worse still, it allows hackers to obtain copies of a server’s digital keys, making it possible to build a decoy website and fool people into thinking they are accessing the legitimate one.

The issue was reportedly detected last week by Internet security experts in Finland and researchers at Google, but it was only revealed widely in the online security community on Monday.

The CRA’s shutdown came after the federal Canadian Cyber Incident Response Centre issued a warning to system administrators about the coding flaw. It recommended that system operators unable to plug in an immediate fix get off the grid.

In a message on its website, the CRA said it learned about the Heartbleed Bug late Tuesday and “acted quickly as a preventative measure, to temporarily shut down public access to our online services to safeguard the integrity of the information we hold.”

Evelyn Jacks, an income tax expert and author, said the CRA did the right thing.

“They became aware of this and mitigated risk by shutting down the site and putting on the fix,” Jacks said.

The affected services include EFILE and NETFILE — password-protected Internet portals used by millions of Canadians to file their income tax returns electronically.

“It’s been a huge inconvenience,” said Allan Fefergrad, a chartered professional accountant in Montreal. “I submit several returns a day. We do about 400 to 500 returns a year. Probably 50 per cent of them happen in the last two to three weeks of April.”

Loading... Loading... Loading... Loading... Loading... Loading...

The agency acknowledged the service interruption “may represent a significant inconvenience.”

Fefergrad worries that social insurance numbers and other personal information are vulnerable.

“Who knows who hacked into it and what they’re going to do with that information,” he said.

Fefergrad, head of Better Tax Services, advises tax filers to be patient and wait out the delay rather than turning to paper returns, which can take four to six weeks to process, compared to the seven to 10 business days to process an online file.

(Click here for more information on the bug.)

In addition to e-filing functions, the shutdown affects the My Account, My Business Account and Represent a Client features used by professional tax preparers. Also hit is a do-it-yourself tax filer’s ability to double-check T4 slips, last year’s notice of assessment and RRSP deduction limits.

Tax preparers H&R Block said it will continue to prepare tax returns for clients this week and will submit them when the CRA restores electronic filing.

Cleo Hamel, senior tax analyst with H&R Block Canada, said Canadians should still take the time to prepare their returns because the deadline is fast approaching.

“Get the return done. That’s the hardest part. It will be a task on your to-do list that you’ve completed.”

Be prepared when applying for any tax rebate

It is a busy time of year for the tax agency, as people file returns electronically and track the progress of refunds online. Tax credits you may be missing

As of the end of March, the agency had received 6.7 million returns, with 84 per cent filed electronically.

Seven most common taxable benefits explained

With files from The Canadian Press

Read more about: