RCMP charge 19-year-old man in Heartbleed privacy breach
Christina Commisso, CTVNews.ca
Published Wednesday, April 16, 2014 2:15PM EDT
Last Updated Wednesday, April 16, 2014 7:36PM EDT
A 19-year-old man from London, Ont., has been charged in connection with using the Heartbleed bug to exploit taxpayer data from the Canada Revenue Agency website.
The RCMP announced Wednesday that Stephen Arthuro Solis-Reyes was arrested at his home Tuesday without incident. He has since been released and is staying with his parents in London's north end.
Solis-Reyes faces charges related to one count of unauthorized use of a computer and one count of mischief in relation to data.
He’s the son of a computer science professor at Western University, CTV News has confirmed.
The CRA shut down public access to its online services on April 8 after learning its systems were vulnerable to the Heartbleed bug. Then on Monday, the agency announced that the Social Insurance Numbers of about 900 taxpayers were taken from the CRA systems over a six-hour period by someone who had exploited the Heartbleed bug
"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," Assistant RCMP Commissioner Gilles Michaud said in a statement.
Michaud said investigators have been working "tirelessly" over the last four days to analyze data, follow leads and conduct interviews.
The RCMP executed a search warrant earlier this week, where they confiscated every computer in the London home and analyzed their contents.
The Heartbleed bug was revealed early last week when it was discovered by a small team from Finnish security firm Codenomicon, while working independently from a Google Inc. researcher who also diagnosed the bug.
The flaw affects OpenSSL, one of the most widely used open-source software programs used to encrypt Internet communications. It’s used on approximately two-thirds of web servers.
The bug allows information in servers using OpenSSL to be viewed, meaning sensitive data can be exploited. The CRA website was one of many online domains that took precautions from the Heartbleed bug.
Solis-Reyes, a second-year Western University student, faces a maximum 10-year sentence if convicted.
He’s expected to appear in an Ottawa court on July 17, 2014 to face the charges.