Heartbleed Bug: Canada Arrests Teen for Alleged Data Theft on Tax Agency

  on April 17 2014 12:10 PM
  • File picture illustration of the word 'password' pictured through a magnifying glass on a computer screen, taken in Berlin May 21, 2013. Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "He
    File picture illustration of the word 'password' pictured through a magnifying glass on a computer screen, taken in Berlin May 21, 2013. Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software. Researchers have observed April 8, 2014, sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used Web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers. OpenSSL is used on about two-thirds of all Web servers, but the issue has gone undetected for about two years. REUTERS/Pawel Kopczynski/Files
  • The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called the "Heartbleed Bug" in Toronto, April 9, 2014. Right in the heart of tax-filing season, the Canada Revenue Age
    The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called the "Heartbleed Bug" in Toronto, April 9, 2014. Right in the heart of tax-filing season, the Canada Revenue Agency (CRA) shut down access to online tax services on April 9, 2014 because of an Internet bug that has made data on many of the world's major websites vulnerable to theft by hackers. REUTERS/Mark Blinch
  • Royal Canadian Mounted Police (RCMP) investigators canvas the London, Ontario neighbourhood April 16, 2014, around the home of Stephen Solis-Reyes who has been charged in connection with exploiting the "Heartbleed" bug to steal taxpayer data fro
    Royal Canadian Mounted Police (RCMP) investigators canvas the London, Ontario neighbourhood April 16, 2014, around the home of Stephen Solis-Reyes who has been charged in connection with exploiting the "Heartbleed" bug to steal taxpayer data from a government website. The suspect was arrested at his home in London, Ontario on Wednesday and faces criminal charges of unauthorized use of computer and mischief in relation to data. REUTERS/Geoff Robins
  • Roberta Solis-Oba, father of Stephen Arthuro Solis-Reyes who has been charged in connection with exploiting the "Heartbleed" bug to steal taxpayer data from a government website, leaves the family home in London, Ontario April 16, 2014. The susp
    Roberta Solis-Oba, father of Stephen Arthuro Solis-Reyes who has been charged in connection with exploiting the "Heartbleed" bug to steal taxpayer data from a government website, leaves the family home in London, Ontario April 16, 2014. The suspect was arrested at his home in London, Ontario on Wednesday and faces criminal charges of unauthorized use of computer and mischief in relation to data. REUTERS/Geoff Robins
1 of 4

The Royal Canadian Mounted Police has arrested a 19-year-old Canadian in relation to the Heartbleed security breach.

Stephen Arthuro Solis-Reyes from London, Ontario was accused of using Heartbleed to steal confidential taxpayer data from the Canada Revenue Agency Web site. The RCMP alleged Mr Solis-Reyes stole 900 social insurance numbers.

Mr Solis-Reyes faces one count of unauthorized use of a computer and one count of mischief in relation to data.

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," Gilles Michaud, Assistant Commissioner, said in a statement.

"Investigators . . . have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners."

But Faisal Joseph, counsel of the accused, blasted the RCMP over the way the body arrested Mr Solis-Reyes.

Mr Joseph told the London Free Press his client was held in a police station without access to counsel for six hours.

Mr Solis-Reyes, a computer science student of Western University, was a "gifted" man whom the RCMP turned into a "national spectacle," Mr Joseph said.

"They know he is starting to write exams on Thursday. They know this is a national story. They threatened to go public with this to humiliate and embarrass him. They know this kid has an A average and they know he does well in school," Mr Joseph told the London Free Press.

"I just think it is totally inappropriate to try to destroy a kid's life before he even has an opportunity to speak to a lawyer and get legal advice. And now they're going to make a national spectacle out of him."

Mr Solis-Reyes is scheduled to appear in an Ottawa court on July 17.

"It is believed that [Mr] Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug," the RCMP said in a statement.

Revealed to the public a week ako, the Heartbleed bug exploits a flaw in OpenSSL - a cryptographic software library used by services to keep data transmissions private.

However, the exploit has been open for two years before it was discovered. Experts warned more data may have already been stolen and that Mr Solis-Reyes was just the latest to have probably tinkered with it.

"Keep in mind that this is a vulnerability that, from what we've known, has existed for about two years now," Adam Molnar, a post-doctoral fellow with the Surveillance Studies Centre at Queen's University, told Montreal Gazette.

"And so there is every reason to believe that there is more information that has been compromised. We're not just talking about information from within CRA, we are talking about a lot of other services that Canadians use."

Join the Discussion