The Canada Revenue Agency knew last Friday that hundreds of Canadians had their social insurance numbers stolen from its website because of the Heartbleed security bug but waited until Monday to make it public.

"The Canada Revenue Agency contacted our office last Friday afternoon to notify us about the attack and of the measures it was taking to mitigate risks and notify affected individuals," said Valerie Lawton, a spokeswoman for the Privacy Commissioner's Office, in a written statement Monday afternoon.

The commissioner's office later clarified that it was told by CRA that "several hundred Canadians" had their social insurance numbers stolen from the agency's website due to the Heartbleed security bug.

The CRA publicly confirmed the attack Monday morning.

"Social insurance numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the CRA said in a statement.

heartbleed-illustration

The Canada Revenue Agency says that 900 social insurance numbers were stolen as a result of the Heartbleed bug. (CBC)

But the RCMP said in a statement Tuesday it asked the CRA to delay notifying the public about the breach when the revenue agency referred the matter to the Mounties on Friday.

"Late Friday afternoon, given that further access to data was no longer possible and that we had identified a viable investigative path, the RCMP asked CRA to delay advising the public of the breach until Monday morning," the statement said.

"This deferral permitted us to advance our investigation over the weekend, identify possible offender[s] and has helped mitigated further risk."

The CRA said it became aware of the breach while repairing the bug, and that the theft happened over a six-hour period — although the agency didn't specify what six-hour period is in question, and isn't offering further explanation beyond a statement posted on its website.​

"We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," the CRA said.

The agency said those affected will be contacted via registered letters, and that any attempts to contact a taxpayer via email or telephone are fraudulent.

Data breach 'frightening'

Murray Rankin, the NDP critic for national revenue, says the government has to come clean and tell Canadians exactly what its agencies know.

"This king of identity theft possibility is frightening to a lot of Canadians and the government has to tell us a lot more than they are telling us," Rankin said in an interview with CBC News.

Rankin said the government needs to explain, among other things, why it took the CRA days to repair the vulnerability while some banks were able to fix the problem right away.

"How is it that our banks can look after security so effectively… whereas the Canada Revenue Agency which has such sensitive information hasn't been able to keep our secrets?" Rankin asked.

The department of Employment and Social Development Canada told CBC News Monday afternoon that it is working closely with Service Canada and the CRA "to ensure all appropriate action is being taken" as a result of the breach.

"The department has taken immediate action to flag the SINs of all affected clients in the Social Insurance Register which will enable ongoing monitoring. This annotation of SIN records requires agents to ask for additional information and photo identification each time there is activity related to an affected SIN," the department said in a written statement.

Individuals will be notified "if there are any concerns regarding changes made to information on their SIN records," the Department of Employment said.

The loss of a social insurance number is among the most serious and dangerous forms of identity theft.

"Along with other personal information, someone may be able to use your SIN to apply for a credit card or open a bank account, rent vehicles, equipment, or accommodation in your name, leaving you responsible for the bills, charges, bad cheques, and taxes," Canada's privacy commissioner says on its identity theft fact sheet.

Anyone affected will be provided with credit protection services at no cost, the revenue agency said.

The CRA shut down the public access portion of its website last week, for what it said were precautionary reasons while it implemented a fix to a potential weakness that had been identified. 

The website was reopened over the weekend, but the CRA alerted police that it had confirmed a breach on Friday.

"On April 11, 2014, I informed the Privacy Commissioner of Canada of the breach," CRA commissioner Andrew Treusch said. "The RCMP are investigating."

Security vulnerability

The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the internet to provide security and privacy.

The bug is affecting many global IT systems in both private- and public-sector organizations, and has the potential to expose private data.

Treasury Board officials told CBC News late Monday afternoon that "all federal government departments and agencies updated and tested their OpenSSL software and certificates to address this vulnerability. All government of Canada sites with Open SSL are now up and running."

"We will not provide additional details for operational security reasons," the office of the Treasury Board of Canada Secretariat told CBC News in an email.

Toronto software engineer Justin Bull noticed the vulnerability on the CRA's website ahead of the agency's decision to shut the network down, and Bull says there's a lot we still don't know about the details of this breach.

"Their lack of information on how the attacker obtained these SIN numbers and how they discovered this was the case, gives a wide area of speculation," Bull said Monday.

"Chances are, though, since they know 900 SINs were accessed, that the attackers leveraged Heartbleed to gain access to unauthorized section of the website​."

Stressing he has no personal knowledge of the situation, web security consultant Raymond Vankrimpen with Richter consultancy in Toronto says it's possible that the 900 affected people may just be those with the bad luck to have logged on before the website was shut down.

'We won't see the full fallout for a while.'- Raymond Vankrimpen, security consultant

"In that six-hour window between when the bug was disclosed publicly and they shut down their servers … it could have been the 900 people who accessed the server in that window," he said in an interview.

It's also possible, however, that the CRA found unauthorized activity by correlating a lot of historical data of "normal" activity and cross-referencing that to find discrepancies, he says.

"They would be looking for certain behaviours," he said. "A normal person comes to the CRA to file taxes and does X, Y, Z … so they can look at their logs to make a profile, and when they see anomalies they may link that back to unauthorized activity."

"They're looking for anything out of the normal," Vankrimpen said. "I'm not sure how the CRA came up with 900 [but] if there were some nefarious hackers using it to steal info there could still be repercussions to come."

"We won't see the full fallout for a while," he said.