Heartbleed Bug: Canada Arrests Teen for Alleged Data Theft on Tax Agency
The Royal Canadian Mounted Police has arrested a 19-year-old Canadian in relation to the Heartbleed security breach.
Stephen Arthuro Solis-Reyes from London, Ontario was accused of using Heartbleed to steal confidential taxpayer data from the Canada Revenue Agency Web site. The RCMP alleged Mr Solis-Reyes stole 900 social insurance numbers.
Mr Solis-Reyes faces one count of unauthorized use of a computer and one count of mischief in relation to data.
"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," Gilles Michaud, Assistant Commissioner, said in a statement.
"Investigators . . . have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners."
But Faisal Joseph, counsel of the accused, blasted the RCMP over the way the body arrested Mr Solis-Reyes.
Mr Joseph told the London Free Press his client was held in a police station without access to counsel for six hours.
Mr Solis-Reyes, a computer science student of Western University, was a "gifted" man whom the RCMP turned into a "national spectacle," Mr Joseph said.
"They know he is starting to write exams on Thursday. They know this is a national story. They threatened to go public with this to humiliate and embarrass him. They know this kid has an A average and they know he does well in school," Mr Joseph told the London Free Press.
"I just think it is totally inappropriate to try to destroy a kid's life before he even has an opportunity to speak to a lawyer and get legal advice. And now they're going to make a national spectacle out of him."
Mr Solis-Reyes is scheduled to appear in an Ottawa court on July 17.
"It is believed that [Mr] Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug," the RCMP said in a statement.
Revealed to the public a week ako, the Heartbleed bug exploits a flaw in OpenSSL - a cryptographic software library used by services to keep data transmissions private.
However, the exploit has been open for two years before it was discovered. Experts warned more data may have already been stolen and that Mr Solis-Reyes was just the latest to have probably tinkered with it.
"Keep in mind that this is a vulnerability that, from what we've known, has existed for about two years now," Adam Molnar, a post-doctoral fellow with the Surveillance Studies Centre at Queen's University, told Montreal Gazette.
"And so there is every reason to believe that there is more information that has been compromised. We're not just talking about information from within CRA, we are talking about a lot of other services that Canadians use."