This is a high school yearbook photograph of Stephen Arthuro Solis-Reyes, 19, in London, Ont.Dave Chidley/The Canadian Press
A London, Ont., teenager linked to a privacy breach of social insurance numbers at the Canada Revenue Agency is facing 16 new charges.
The agency was forced to shut down its website during April's tax season due to a security vulnerability caused by the Heartbleed bug. The CRA has said that about 900 social insurance numbers were stolen during the breach.
The RCMP announced the additional charges against Stephen Arthuro Solis-Reyes on Wednesday, including one count of obtaining directly or indirectly a computer service contrary to the Criminal Code and one count of intercepting a function of a computer system contrary to the Criminal Code.
The disclosure came on the same day senior CRA officials told a parliamentary committee the agency is taking measures to better protect the privacy of Canadians.
The RCMP revealed that while investigating the breach against the CRA's website, the RCMP uncovered further victims "unrelated to the case at hand."
These additional allegations have led to 14 of the 16 new charges, including five counts for possessing a computer password that would enable him to commit an offence of unauthorized use of a computer.
Mr. Solis-Reyes is scheduled to appear in court Dec. 19. His lawyer, Gord Cudmore, could not be reached. However, Mr. Cudmore told the CBC on Wednesday that his client is "a fine young man" and that "there are no allegations of any malice on his part."
The CRA officials who appeared Wednesday before the House of Commons finance committee were not asked directly about the new charges, but they did comment on measures to increase privacy protection.
"We do take protection of information very seriously, obviously," said Roch Huppé, chief financial officer and assistant commissioner. Mr. Huppé said the agency found 75 cases last year of CRA employees accessing information that they should not have.
Mr. Huppé said the agency is responding to concerns from the Privacy Commissioner that it is rarely told about privacy breaches.
In addition to concerns related to privacy, the agency has been on the defensive over the past year related to the CRA's approach to auditing charities for potential violations of rules related to political activity.
Officials insisted Wednesday that ministers and political staff are not involved in decisions as to which charities are audited by the agency.
In September, The Globe reported that a staff shakeup at the agency will result in fewer senior auditors working on international files as the CRA shifts resources toward small- and medium-sized Canadian businesses.
The Professional Institute of the Public Service of Canada, the union representing affected auditors, has said the actions inside the agency appear to be at odds with government promises to beef up efforts to tackle off-shore tax evasion.
Canada, along with the other nations of the G20 and the Organization for Economic Development and Cooperation, have made pledges to increase enforcement and information sharing to reduce international tax evasion.
Ted Gallivan, the CRA's deputy assistant commissioner of the compliance programs branch, said there have been "misconceptions" about the changes.
"We haven't reduced the number of auditors," he said. "We have made a number of changes in terms of specialization, structure, organizational reporting relationships that sometimes gives rise to these misconceptions … We work very hard to retain those [senior] people."
Bill Curry