Student arrested for Heartbleed-exploiting tax agency breach

A 19-year-old Canadian student has been arrested for breaching the systems of the Canada Revenue Agency (CRA) and extracting Social Insurance Numbers of some 900 taxpayers. It is believed that he was able to do so by exploiting the infamous Heartbleed bug.

The Royal Canadian Mounted Police’ National Division Integrated Technological Crime Unit (ITCU) has swooped down on London, Ontario based Stephen Arthuro Solis-Reyes on April 15, when he was arrested without incident in his home and his computer equipment was seized.

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” Assistant Commissioner Gilles Michaud said in a statement. “The success of this investigation reflects the collaborative efforts of the RCMP and other government agencies as well as the London Police Service.”

The Canada Revenue Agency took its online services offline on April 8, after having been informed of the danger that the vulnerability presented to the security of its systems, but that was apparently not fast enough.

In the hours between the public revelation of the existence of the bug and the service takedown, Solis-Reyes allegedly managed to perform the attack.

The Globe and Mail reports that Solis-Reyes is a computer science student at Western University. He is scheduled to appear in court in Ottawa on July 17, 2014, and is expected to be charged with one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data.

The RCMP also said that the investigation into this breach is still ongoing, so it might yet turn out that other people were involved.

The CRA is not the only victim of a Heartbleed attack. UK-based website for parents Mumsnet has also suffered a breach that was apparently confirmed by the attacker as having been executed by leveraging that particular vulnerability.

After having messed with a few accounts, the attacker used one to explain his or her motive:

It was not her phone or personal computer being left logged in anywhere, it was the heartbleed exploit bleeding users login/password combinations in plain text to whoever sent the right query to the server.

While the tech staff were relatively fast to patch it, like so many others out there they thought ‘the chances of this affecting us before the patch are miniscule’.

I hope the actions of hijacking Justine’s account help draw attention to how big a deal this is. I suspect a lot of people would not have taken it seriously otherwise. Be thankful that the person who got access to the server information was kind enough to let you all know (and at least try and be funny with it) instead of simply sitting on the information.

More about

Don't miss