A 19-year-old computer science student has been arrested by the RCMP and will face charges on allegations that he exploited the Heartbleed Internet vulnerability to steal confidential information from servers at the Canada Revenue Agency.
The national police force acted quickly, stating that it received information on the alleged breach last Friday.
In a statement Wednesday, the RCMP’s national division said it has arrested Stephen Arthuro Solis-Reyes, 19, of London, Ont., and charged him with one count of unauthorized use of a computer and one count of mischief in relation to data.
“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in ‘O’ Division, have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners,” assistant commissioner Gilles Michaud said.
A computer was seized at the suspect’s residence.
Mr. Solis is a second-year student at the University of Western Ontario. In 2012, he graduated from a London high school, Mother Teresa Catholic Secondary.
He was part of a team from his secondary school that came first in a programming competition at the London District Catholic School Board. He is also the creator of a BlackBerry phone app that solves Sudoku puzzles, which was released while he was still in high school.
Mr. Solis is the son of a UWO computer science professor, Roberto Solis-Oba.
Before moving to London, the family lived in Lafayette, Ind., where the elder Mr. Solis obtained a PhD in computer science at Purdue University.
Prof. Solis didn’t answer an e-mailed request for comment.
The arrest came after the CRA said Monday that about 900 social insurance numbers were stolen from its servers. The CRA had shut down all of its public online services because of the Heartbleed Internet bug.
The CRA statement was one of the first disclosures by an organization that it had lost data to someone exploiting the vulnerability. However, the government has also come under fire for its handling of the threat and the speed with which it has acted to contain the problem. “There are many questions about the response and the timing of the response,” NDP MP Charlie Angus said in an interview. “We see a pattern with this government, which is to protect the minister rather than protect the interests of Canadians.”
The CRA won’t say when the breach occurred: during the two years in which the bug went undetected, or during the 24-hour gap between the public revelation of Heartbleed’s existence and the CRA’s shutdown of its websites last week.
The CRA also declined to explain how it determined which SINs were hacked, since Heartbleed intrusions are hard to detect.
Internet security expert Mark Nunnikhoven previously told The Globe and Mail that the breach was probably detected through network monitoring from one of the federal government’s agencies dealing with Internet security, such as Shared Services Canada or even the Communications Security Establishment Canada (CSEC).
While a Heartbleed breach would have left no traces of a data leak on the logs of CRA servers, it would have been spotted by network-monitoring tools that capture and analyze transiting data packets, he said.