"Late Friday afternoon, given that further access to data was no longer possible and that we had identified a viable investigative path, the RCMP asked CRA to delay advising the public of the breach until Monday morning," the statement said.
The RCMP were notified of the security breach on Friday, but asked the agency to hold off making an immediate announcement about the data loss so they could pursue investigative leads.
Word of the Heartbleed security vulnerability prompted the agency to shut down its publicly accessible websites last week.
A number of other federal departments followed suit.
The government says it has solved the problem and the sites re-opened over the weekend.
But the revenue agency did not disclose the loss of data until Monday.
"The RCMP asked CRA to delay advising the public of the breach until Monday morning," the Mounties said in a news release.
"This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigate further risk."
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy. The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.
CRA said it will notify everyone involved in the security breach by registered letter and will offer access to credit protection services.
At least one Internet security expert has suggested that the data losses may go well beyond just 900 social insurance numbers.
Also on HuffPost