Teen arrested in Heartbleed attack against Canadian tax site

The Canada Revenue Agency, which reported data on 900 taxpayers was stolen, is one of the first victims to report a Heartbleed attack

Canadian police have arrested a 19-year-old man for allegedly using the Heartbleed bug to steal data about taxpayers.

Stephen Arthuro Solis-Reyes, of London, Ontario, took advantage of the vulnerability to steal information from the Canada Revenue Agency's website, according to the National Division of the Royal Canadian Mounted Police. They arrested him on Tuesday without incident. Solis-Reyes faces one count of unauthorized use of a computer and one count of "mischief in relation to data."

[ Also on InfoWorld: 3 big lessons to learn from Heartbleed. | It's time to rethink security. Two former CIOs show you how to rething your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The CRA, one of the first victims to report a Heartbleed attack, said on Monday that the vulnerability had been used to steal the Social Insurance Numbers of about 900 people. After discovering the attack, the agency temporarily halted online filing of tax returns. Social Insurance Numbers are required to work or get government benefits in Canada.

Heartbleed lets attackers capture data from server memory 64KB at a time, putting passwords, encryption keys and other data at risk. It lived in the popular Web encryption tool OpenSSL (Secure Sockets Layer) for about two years before it was exposed last week. Though the bug affected a broad swath of websites and was found in many models of server and network equipment, reports of Heartbleed attacks only started to emerge after the flaw had been disclosed.

The RCMP arrested Solis-Reyes after four days of investigation. It searched his residence and seized computer equipment, and the investigation continues, the agency said in a press release. Solis-Reyes is scheduled to appear in court in Ottawa on July 17.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is stephen_lawson@idg.com

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies