The federal tax agency says the social insurance numbers of roughly 900 people were stolen from its systems, which were left vulnerable by the so-called Heartbleed bug.
The Canada Revenue Agency blocked public access to its online services for several days last week until it addressed the security risk, but said Monday there was nonetheless a data breach over a six-hour period.
It said it is analyzing other fragments of data that have been removed from its systems, while putting measures in place to protect those affected by the breach.
"I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act," CRA commissioner Andrew Treusch said in a statement.
"CRA online services are safe and secure. The CRA responded aggressively to successfully protect our systems. We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards."
Everyone affected will receive a registered letter and free access to credit protection services, the agency said.
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy.
The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.
Service was restored Sunday to all publicly accessible Government of Canada websites as well the tax-filing systems E-file and Netfile.
The CRA has apologized to Canadians for the delay and inconvenience, but added it was necessary to ensure the agency's online services were safe and secure.
It said it will not apply interest or penalties to individual taxpayers filing their 2013 tax returns after April 30 for a period equal to the length of last week's service interruption.
That means 2013 tax returns filed by May 5 will not incur interest or penalties.