The Royal Canadian Mounted Police (RCMP) said Wednesday it arrested a 19-year-old man from London, Ont. who is alleged to have used the Heartbleed computer bug to steal 900 social insurance numbers from the Canada Revenue Agency (CRA).

The RCMP’s National Division Integrated Technological Crime Unit (ITCU) said its operatives picked up Stephen Arthuro Solis-Reyes at his residence on April 15. He now faces one count of unauthorized use of a computer and one count of mischief in relation to Data.

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from [the] national division, along with counterparts in ‘O’ Division, have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorization and liaising with our partners,” said Gilles Michaud, RCMP assistant commissioner, in a statement on Wednesday.

This investigation was conducted as part of the ITCU’s mandate to investigate pure computer crimes where the federal government and  Canadian critical IT infrastructure are victimized.

The national division’s mandate is to focus its expertise on sensitive, high-risk investigations into significant threats to Canada’s political, economic and social integrity.

The CRA was forced to shut down its website last week as news about the Heartbleed bug spread around the world.

Some researchers said the existence of the bug has been a known fact for at least two years, but little has been done by organizations to protect their systems against it.

On Monday, the CRA said it discovered the Social Insurance Numbers (SIN) of 900 Canadian taxpayers  have been compromised.

Solis-Reyes is scheduled to appear in court in Ottawa on July 17. The investigation is still ongoing.

Share on LinkedIn Share with Google+
  • Scott A. Johnston

    I suspect he may have been the only one to try and hack the CRA and therefore it is an easy case to identify him by his IP. On the theft of 900 SIN numbers, if only the numbers were taken without context to who owns them, then the damage is meaningless. I think it was a show off situation of a bright 19 year old to show how easy it is to hack a computer. The CRA has a bit of egg on its face and needs to deflect the publicity.

  • Go Kart Mozart

    This is not hacking. The real charge should be for – Posting Social Insurance Numbers – not stealing them. The government relied on flawed open-source software to secure the citizens private data. The IT department made the information public via faulty policy.
    The accused was downloading any public data – there are thousands of
    computers scanning the internet downloading any data that is available. It would have to be proven the accused knew the data retrieved was private.
    A secure connection can retrieve both public and private data form a server. It’s the responsibility of the IT department to keep the private data private. This wasn’t done in this case – they relied on broken open-source software.

    • I don’t know if that’s fair to the CRA. It didn’t know about the vulnerability when it implemented OpenSSL encryption on its sites after all, and like the rest of the web, was caught off guard when the exploit was discovered. It reacted responsibly by taking its services offline to limit exposure and apparently also monitoring the situation well enough to identify this person that allegedly exploited the situation to get private information. Using a known vulnerability to extract private data from a server certainly falls under “hacking” activities.

  • gisabun

    Jeez. “…faces one count of unauthorized use of a computer and one count of mischief in relation to Data…” Not being nasty but why is it that if you kill 2 people, you get 2 counts of murder [or for that matter almost any crime] but this guy gets away with one account of each when he probably affected the lives of 900+ people.

    • Go Kart Mozart

      I hope all the Private Security companies that were checking sites for this flaw get charged with “Mischief” and “Unauthorized Use Of a Computer” as well.

      • gisabun

        Problem is that few sites are saying whether or not that had the issue. Will you go and change your password on every site? I have over 80 sites. Would of been easier if those sites that were affected would of notified those who have registered.
        Your logic may not pass. There are various sites which gather information about the web server [i.e. Apache, IIS, etc.]. If so, your logic would also mean those sites should also be charged.