Heartbleed and Filing Taxes – What to Know
April 10, 2014 : Kristin Shaw
You may have heard about a security flaw called “the Heartbleed bug” that is affecting various websites. You may also be wondering what it means for people electronically filing tax returns. Here’s what you need to know:
Is H&R Block affected by the Heartbleed bug?
We have found no risk to client data from this issue. As a result of this situation, we are reviewing our systems and taking the appropriate steps to ensure our customers are protected.
Is the IRS affected by the Heartbleed bug?
The IRS has said that their systems continue to operate and are not affected by this bug, and they are not aware of any security vulnerabilities related to this situation. The IRS continues to accept tax returns as normal. The advice to taxpayers is to continue filing tax returns, including e-file.
What about the Canadian Revenue Agency?
You may know that the Canadian Revenue Agency (CRA) has closed all electronic filing. The CRA has also indicated that individuals who file after the April 30 deadline will not be subject to interest and penalties. The exact grace period will be announced at a later time.
For our Canadian clients, here’s more information about H&R Block operations during this period when the CRA is not accepting e-filed returns.
Should I change my password?
There is no need to change your H&R Block password due to this issue. However, regularly changing passwords is recommended, as well as using different passwords for your various website accounts.
Generally, when it comes to changing your password in response to this issue, the advice is mixed. If a site you use is affected by the Heartbleed bug, you should wait until the problem is addressed before changing your password. You can see whether a site is affected by using this tool.
What is this Heartbleed bug anyway?
To (attempt to) simplify: websites use Secure Sockets Layer, or SSL, to encrypt sensitive information so it can be transmitted. This is denoted by an https:// or green padlock in the address bar of your browser. “OpenSSL” is a particular way to achieve this encryption – it also happens to be the most popular.
The Heartbleed bug allows someone to read the memory of servers using OpenSSL. Basically that means they can access the sensitive data that was supposed to be transmitted securely. Most websites are actively working to protect themselves against that possibility. USA Today has a great explainer and more answers to common questions.