Question Period Note: SECURITY VULNERABILITY

How long will CRA services be offline due to a “security vulnerability”? Was the CRA hacked?

• The Canada Revenue Agency (CRA) is committed to protecting the personal and tax information of Canadians. This includes taking
appropriate steps to safeguard sensitive information online.
• We know how important CRA online services are, such as how they allow Canadians to apply for the Canada recovery benefits.
• On December 10, 2021, the CRA became aware of a security vulnerability affecting organizations around the world. Within hours, as a
precaution, we proactively decided to take our systems offline while we work to secure our systems.
• Most of our digital services have been restored as of December 13, 2021. This includes our online portals and electronic filing services.
• There is currently no indication that CRA systems have been compromised, or that there has been unauthorized access to taxpayer
information because of this vulnerability.
• I would like to thank Canadians for their patience as well as CRA employees who worked to restore our services.

The Government of Canada became aware of the Apache Log4j vulnerability on Friday December 10, 2021. As a precautionary measure the CRA disabled access to its digital services, such as My Account, My Business Account and Represent a Client, in order to protect taxpayer information and CRA systems against potential threats.

There is currently no indication that CRA systems have been compromised, or that there has been unauthorized access to taxpayer information because of this vulnerability.

Most of our digital services have been restored as of Monday December 13, 2021. The following service continues to be unavailable and we will update when it is online:
• Order forms and publications

None