​Canadian arrested for hacking revenue agency using Heartbleed security bug

16 Apr, 2014 21:28 / Updated 11 years ago

A 19-year-old Canadian man has become the first person arrested in relation to the Heartbleed security vulnerability, which he used to steal taxpayer information.

Royal Canadian Mounted Police (RCMP) is accusing Stephen Arthuro Solis-Reyes of hacking into the Canadian Revenue Agency’s (CRA) website late last week.

Solis-Reyes, of London, Ontario, is suspected of stealing around 900 Social Insurance Numbers.

"It is believed that [Mr] Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug," the RCMP said in a statement.

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” RCMP assistant commissioner Gilles Michaud said. “Investigators from National Division, along with our counterparts in ‘O’ Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.”

Solis-Reyes has been charged with “unauthorized use of a computer” and “mischief in relation to data.” He is scheduled to appear in court on July 17.

The 19-year-old is a second-year student at Western University, located in his hometown. In high school, he was on a team that won first place in a programming competition at the London District Catholic School Board. He has also authored a BlackBerry phone app that solves Sukoku puzzles, according to The Globe and Mail.

His father is a Western computer science professor. The family lived in Lafayette, Indiana before moving to Ontario.

Early last week, the open-source OpenSSL project released an emergency security advisory warning of Heartbleed, a bug that pulls in private keys to a server using vulnerable software, allowing operators to suck in data traffic and even impersonate the server. Heartbleed was first noticed by a Google researcher and Codenomicon, a Finnish security firm.

The Canada Revenue Agency (CRA) reported that the private information of about 900 people was stolen thanks to Heartbleed’s impact. CRA became one of the first major organizations to curtail services as a result of the vulnerability.

"Regrettably, the CRA has been notified by the government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period" last week, CRA said on Monday.

Private firms and governments are working to patch their vulnerabilities to the bug, yet more breaches are expected.

The Canadian government “was really slow on this,” Christopher Parsons from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto told CBC.

Yahoo was one major private entity to immediately address its exposure to Heartbleed, claiming it had successfully updated its servers after hearing of the bug.

“If you look at Yahoo, it had begun updating its security practices prior to the CRA fully taking action,” Parsons said. “The same thing with other larger companies. As soon as they saw what was going on, they immediately reacted and issued public statements.”