According to the Canadian Press, police have charged a 19-year-old man from London, On, in connection with the loss of taxpayer data from the Canada Revenue Agency website. The seizure was done by taking advantage of the now infamous Heartbleed OpenSSL bug that potentially exposed hundreds of millions of people’s personal data to hackers.
Stephen Arthuro Solis-Reyes was arrested at his residence Tuesday and is charged with unauthorized use of a computer and mischief in relation to data, the RCMP said Wednesday.
The CRA removed public access to most of its online services last week on Tuesday, and since then it has been working “around the clock to implement a ‘patch’ for the bug.” Unfortunately, hackers stole the personal information sometime within a six-hour period.
On Monday the Canadian taxman also said no other “infiltrations” had happened since, before or after the SIN heist. In order to avoid any phishing schemes, the CRA said it would not contact those Canadians whose SIN numbers have been lost.
A search of Solis-Reyes’ residence resulted in the seizure of computer equipment.
“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” said assistant commissioner Gilles Michaud. “Investigators from National Division, along with our counterparts in O Division, have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.”
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy. It’s public coming-out party occurred Monday of last week, when it was also revealed that OpenSSL had known about it for a couple of months, without warning the public. Other reports have also surfaced since, revealing that the US’s much-maligned National Security Agency (NSA) knew about the bug for the past two years.
OpenSSL is the open-source encryption standard used by the majority of sites on the web that need to transmit data users want to keep secure. OpenSSL gives users a “secure line” with the person they’re communicating with, whether it be via email or chat. However, because of a programming error in the implementation of OpenSSL, researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.
The flaw was first reported the team at OpenSSL a few months ago, then an independent security firm confirmed the bug. The bug has been in the code for about two years.