The RCMP has identified at least one suspect in its probe into the alleged theft of confidential information from the Canada Revenue Agency's website.
In a statement on Tuesday morning, the national police force said it asked the CRA to remain quiet for three days about the possible infraction in order to pursue its investigation.
"Late Friday afternoon, given that further access to data was no longer possible and that we had identified a viable investigative path, the RCMP asked CRA to delay advising the public of the breach until Monday morning," RCMP spokesperson, Corporal Lucy Shorey, said in the communiqué.
"This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigate further risk."
About 900 social insurance numbers were stolen from CRA computers, the revenue department said on Monday, following a shutdown of its public online services caused by the Heartbleed Internet bug. The CRA statement was one of the first disclosures by an organization that it had lost data to someone exploiting the vulnerability.
However, the government has also come under fire for its handling of the threat and the speed with which it has acted to contain the problem.
"There are many questions about the response and the timing of the response," NDP MP Charlie Angus said in an interview. "We see a pattern with this government, which is to protect the minister rather than protect the interests of Canadians."
The CRA won't say when the breach occurred: during the two years in which the bug went undetected, or during the 24-hour gap between the public revelation of Heartbleed's existence and the CRA's shutdown of its websites last week.
The CRA also declined to explain how it determined which SINs were hacked, since Heartbleed intrusions are hard to detect.
Internet security expert Mark Nunnikhoven said it appears the breach was recent and retraced through network monitoring from one of the federal government's agencies dealing with Internet security, such as Shared Services Canada or the Communications Security Establishment Canada.
While a Heartbleed breach would have left no traces of data leak on the logs of CRA servers, it would have been spotted by the network monitoring tools of other federal agencies that capture and analyze transiting data packets, he said.
"If you have multiple layers of security controls in place, you can catch it … that means someone upstream on the government's shared network saw it," Mr. Nunnikhoven, a former IT specialist in the federal government, said.