Skip to main content
The Globe and Mail
Support Quality Journalism
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); }

The Canada Revenue Agency website is seen on a computer screen displaying information about the Heartbleed security risk on April 9, 2014.


A 19-year-old computer science student has been arrested by the RCMP and will face charges on allegations that he exploited the Heartbleed Internet vulnerability to steal confidential information from servers at the Canada Revenue Agency.

The national police force acted quickly, stating that it received information on the alleged breach last Friday.

In a statement Wednesday, the RCMP's national division said it has arrested Stephen Arthuro Solis-Reyes, 19, of London, Ont., and charged him with one count of unauthorized use of a computer and one count of mischief in relation to data.

Story continues below advertisement

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in 'O' Division, have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners," assistant commissioner Gilles Michaud said.

A computer was seized at the suspect's residence.

Mr. Solis is a second-year student at the University of Western Ontario. In 2012, he graduated from a London high school, Mother Teresa Catholic Secondary.

He was part of a team from his secondary school that came first in a programming competition at the London District Catholic School Board. He is also the creator of a BlackBerry phone app that solves Sudoku puzzles, which was released while he was still in high school.

Mr. Solis is the son of a UWO computer science professor, Roberto Solis-Oba.

Before moving to London, the family lived in Lafayette, Ind., where the elder Mr. Solis obtained a PhD in computer science at Purdue University.

Prof. Solis didn't answer an e-mailed request for comment.

Story continues below advertisement

The arrest came after the CRA said Monday that about 900 social insurance numbers were stolen from its servers. The CRA had shut down all of its public online services because of the Heartbleed Internet bug.

The CRA statement was one of the first disclosures by an organization that it had lost data to someone exploiting the vulnerability. However, the government has also come under fire for its handling of the threat and the speed with which it has acted to contain the problem. "There are many questions about the response and the timing of the response," NDP MP Charlie Angus said in an interview. "We see a pattern with this government, which is to protect the minister rather than protect the interests of Canadians."

The CRA won't say when the breach occurred: during the two years in which the bug went undetected, or during the 24-hour gap between the public revelation of Heartbleed's existence and the CRA's shutdown of its websites last week.

The CRA also declined to explain how it determined which SINs were hacked, since Heartbleed intrusions are hard to detect.

Internet security expert Mark Nunnikhoven previously told The Globe and Mail that the breach was probably detected through network monitoring from one of the federal government's agencies dealing with Internet security, such as Shared Services Canada or even the Communications Security Establishment Canada (CSEC).

While a Heartbleed breach would have left no traces of a data leak on the logs of CRA servers, it would have been spotted by network-monitoring tools that capture and analyze transiting data packets, he said.

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to
Comments are closed

We have closed comments on this story for legal reasons or for abuse. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies