The federal tax agency says the social insurance numbers of roughly 900 people were stolen from its systems, which were left vulnerable by the so-called Heartbleed bug.
The Canada Revenue Agency blocked public access to its online services for several days last week until it put in place measures to address the security risk, but says there was nonetheless a data breach over a six-hour period.
It says it is analyzing other fragments of data that have been removed from its systems, while putting measures in place to protect those affected by the breach.
The agency says everyone affected will receive a registered letter and free access to credit protection services.
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy.
The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.