RCMP have identified a "possible offender" after the Canada Revenue Agency saw 900 social insurance numbers stolen in a web security breach due to the Heartbleed bug.

The Mounties said in a statement Tuesday that they asked the CRA not to tell the public Friday about the breach so they could look into a "viable" lead in their investigation.

But the NDP wants to know more about the government's decision to shut down the CRA website and whether it could have done more to avoid the security breach in the first place.

The CRA spent days patching a hole in its security that allowed hackers to steal information without leaving a trace. The Heartbleed bug affected servers around the world.

"This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigate further risk" the RCMP said.

The RCMP would not provide further details about the suspect.

The CRA temporarily shut down some access to its website late Tuesday last week after warnings that a security flaw in website encryption software — the Heartbleed bug — could leave websites vulnerable to hackers.

The shutdown was extended to other government websites later in the week.

NDP wants answers

The CRA said Monday that it realized on Friday that 900 social insurance numbers had been stolen during a six-hour attack that exploited the Heartbleed vulnerability. It did not indicate when the hour attack had occurred.

The agency notified the privacy commissioner's office Friday and referred the matter to the RCMP.

Fears of a bug in the OpenSSL software used for encryption on two-thirds of the world's internet servers surfaced more than a week ago. The U.S. Department of Homeland Security issued a public warning on April 7. Public Safety Canada issued a notice about the vulnerability the next day, and by the end of the day, CRA had closed parts of its website.

The NDP says there are troubling gaps in what the government has said about the matter to date.

"What's really disturbing is the lack of clarity on what CRA did when they found out about the Heartbleed bug," MP Charlie Angus told CBC News.

Angus and fellow NDP MP Murray Rankin wrote a letter Tuesday calling on Revenue Minister Kerry-Lynne Findlay to "reassure Canadians" by explaining:

  • Who notified the CRA of the Heartbleed bug.
  • When the CRA learned that the bug was in its system and whether precautionary checks were made when the world learned of the bug on April 7.
  • Why the CRA delayed shutting down web operations until Tuesday when news of Heartbleed was made public Monday.

The letter also notes that on the day the CRA website was shut down, the agency's assistant commissioner and chief privacy officer, Susan Gardner-Barclay, was telling MPs on a House of Commons committee that the agency's security systems were "one of, if not the strongest security regimes" in any government department, while making no mention of Heartbleed.

"The world was told on Monday that this backdoor was open. On Tuesday, CRA's top privacy experts were in Parliament saying we've got the best firewall systems anywhere, everything is fine.

"So what happened between the world being told and all the hackers being told that the Heartbleed bug was out there, and CRA taking action?" Angus said.

Gardner-Barclay told CBC News she didn't know of the Heartbleed bug when she appeared at the Commons committee early Tuesday afternoon.

The CRA restored public access to its site over the weekend and extended the tax filing deadline for Canadians to May 5.

with files from James Cudmore