The RCMP says that it asked the Canada Revenue Agency (CRA) to put off alerting the public about the apparent theft of 900 social insurance numbers (SINs), so that it could pursue a lead on a possible suspect.

Police say that they were alerted to a possible malicious breach of taxpayer data due to the Heartbleed bug on Friday April 11. They say they then asked the CRA to delay advising the public of the breach until the morning on Monday, April 14, “given that further access to data was no longer possible and that we had identified a viable investigative path.”

“This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigate further risk,” it says. The RCMP has yet to announce any arrests or charges in connection with the apparent breach.

In the meantime, the CRA says that taxpayers that appear to be affected by the data breach will be receiving registered letters to inform them, and a toll-free number has been set up to provide them with further information, including steps to take to protect the integrity of their SIN. The CRA will also provide affected taxpayers with free credit protection services, and intends to apply additional protections to their CRA accounts to prevent any unauthorized activity.

The agency says that the patch it installed to fix the issue has proven effective. “It has been vigorously tested following application to CRA systems, and the CRA is confident that our systems remain safe and secure,” it says. Given that the “patch” is now in place, the CRA also advises taxpayers to change their user ID and password. It also says that tax returns filed continue to be processed normally, and that taxpayers should not expect a delay in getting refunds.