OTTAWA – A timeline of the Canada Revenue Agency’s response to the Heartbleed bug:

Monday, April 7: The Canada Revenue Agency says it was first informed of the Heartbleed bug.

Tuesday, April 8: Two senior CRA officials testify at a parliamentary committee, which begins at 11 a.m. Neither make any mention of Heartbleed.

Later that same day, the CRA shuts down public access to its online filing services. The agency says it has been working to implement a patch for the bug and test its systems.

Friday, April 11: At some point in the morning or early afternoon, the CRA notifies the RCMP and the privacy commissioner about a breach of taxpayer data that occurred over an unspecified six-hour period. The agency says at least 900 social insurance numbers were stolen.

The RCMP says it asked the CRA late that afternoon to hold off telling the public about the breach until Monday, April 14, so it could follow up leads in its investigation. The CRA complies.

Sunday, April 13: The CRA restores public access to all its online services.

Monday, April 14: The agency releases a statement indicating at least 900 social insurance numbers had been stolen by someone exploiting the Heartbleed bug.

Tuesday, April 15: The RCMP reveals it asked the CRA to hold off telling the public about the breach until Monday so it could follow up leads in its investigation.

Wednesday, April 16: The RCMP charges 19-year-old Stephen Arthuro Solis-Reyes with one count of unauthorized use of computer and one count of mischief in relation to data. He is scheduled to appear in an Ottawa court on July 17.

Sources:

Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bughttp://www.cra-arc.gc.ca/gncy/sttmnt2-eng.html

CRA update regarding the Heartbleed Bug – Online services restoredhttp://www.cra-arc.gc.ca/gncy/sttmnt-eng.html

RCMP Statementhttp://www.rcmp-grc.gc.ca/ottawa/index-eng.htm