IRS: File your taxes now, ignore Heartbleed bug

April 14, 2014: 1:13 PM ET
heartbleed taxes
NEW YORK (CNNMoney)

Millions of people are filing their taxes just as governments grapple with Heartbleed, the worst privacy-killing Internet bug ever.

Is your information at risk? It depends on where you live.

The IRS said its systems weren't vulnerable to the computer bug, so U.S. folks are instructed to keep filing their taxes. But if you want a look at the potential dangers, just turn your attention to the United States' northern neighbor.

Related story: Change these passwords right now

Canada's taxing authority slammed on the brakes -- taking down its website for a few days -- after realizing its computers were exposed. Sure enough, there was a breach.

On Monday, the Canada Revenue Agency discovered that someone had exploited the Heartbleed bug to tap into its systems for six hours and grab the Social Insurance Number of 900 taxpayers. The agency has since brought its website back online, with Canadian revenue commissioner Andrew Treusch assuring it's now "safe and secure."

There's no sign the same thing has happened at the IRS. But with so many people filing taxes via big tax preparers and local independent accountants, there's cause for concern.

The nation's largest tax preparers say they dodged the bullet. Intuit (INTU), maker of the popular TurboTax software program, said it wasn't affected by Heartbleed. But just in case, the company has taken security measures to make sure no one can trick your computer into visiting a fake TurboTax website.

H&R Block (HRB) said it's still reviewing its computer systems but has "found no risk to client data." It isn't clear whether the H&R Block was ever vulnerable or if it was, then patched it. The tax preparer told CNN its websites weren't using the vulnerable version of OpenSSL, the program that encrypts sensitive information for security purposes.

Heartbleed: 'Secure' internet wasn't safe

However, there's no way to make sure you weren't spied on while filing your taxes, even if the chances were probably slim. The way Heartbleed works -- poking a hole in the way people communicate online -- is complicated. And it affects a lot of the equipment used by websites, big employers and small businesses everywhere. That means online communication might not have been safe at work or at home. It's difficult to be certain you were never exposed.

Small businesses aren't likely to upgrade their systems anytime soon, so it's worth asking your accountant if they've reviewed their computer system. It's not an easy task.

If you filed online, your best bet is to check that the website you use doesn't rely on the vulnerable version of the OpenSSL program -- or at least patched it right away. Some companies are issuing statements online to guide customers.

Related story: Heartbleed 101

Tom Cross is the director of security research at Lancope, which makes hardware that helps companies investigate breaches. He offers this as consolation: Most major websites moved fast to fix this.

But the reality is that the bug left many systems exposed for more than two years now. And the last week has provided a brief window that's especially unsafe because now the vulnerability is known publicly.

There is another option though. You can just file your taxes the old way: slip the check into an envelope, lick it shut and drop it into a mailbox.

That's the advice of Darren Hayes, a cybersecurity researcher. It sounds odd coming from someone who teaches computer science at Pace University. But he said, "The more you know tech, the more tech you shy away from sometimes."


Search for Jobs