John Zabiuk says he thinks that could be just the tip of the iceberg, because the Heartbleed vulnerability went undiscovered for two years.
Zabiuk is with the Northern Alberta Institute of Technology in Edmonton, where he teaches students to protect computer systems by approaching the problem from a hacker's viewpoint.
He says the Heartbleed bug, a flaw in the open-source security software that's commonly used to protect sensitive personal information online, is probably the largest flaw ever to hit the Internet.
The revenue agency says it is analyzing data to determime what else might have been siphoned out.
Zabiuk says he expects them to discover that a lot more information has been compromised.