The RCMP says that it asked the Canada Revenue Agency to delay telling the public about 900 Social Insurance Numbers that were stolen during a breach of the agency's systems, so that it could advance its investigation into the case.
In a statement released Tuesday, the RCMP said it was first notified by the CRA of a "malicious breach" of taxpayer data due to the Heartbleed bug last Friday.
"Late Friday afternoon, given that further access to data was no longer possible and that we had identified a viable investigative path, the RCMP asked CRA to delay advising the public of the breach until Monday morning," the statement said.
The police said the delay allowed investigators to probe the security breach over the weekend, identify possible offenders and lessen additional risks.
The CRA announced Monday that 900 SINs had been stolen from its systems by somebody exploiting the Heartbleed bug. According to the agency, the breach occurred over a six-hour period.
The agency first shut down access to its online services on April 8, after learning that its systems were vulnerable to the bug.
The site was reopened on Sunday, after a patch for the bug had been installed and tested. As well, the deadline for submitting a 2013 tax claim was extended to May 5.
Individuals who had their SINs stolen will be notified by the agency via a registered letter, the CRA said. Affected individuals will also be provided with services to protect their credit for free.
Revealed last week, the Heartbleed bug affects OpenSSL, a commonly used open-source encryption program that is meant to protect online communications. The bug allows information contained on servers using OpenSSL to be viewed, meaning sensitive personal information may be open to theft.
A patch to fix the bug was released last week, and security analysts recommend that users change their passwords and user IDs once the patch has been installed on a specific site.
