Teen Charged in Heartbleed BreachAllegedly Stole Data from Canada Revenue Agency
The Royal Canadian Mounted Police have arrested a 19-year-old London, Ontario, man for his alleged role in exploiting the Heartbleed vulnerability to steal data from the Canada Revenue Agency website.
See Also: Data Center Security Study - The Results
Stephen Arthuro Solis-Reyes was arrested at his residence on April 15 and faces charges of unauthorized use of a computer and criminal mischief, police say in an April 16 statement.
"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," says Gilles Michaud, assistant RCMP commissioner. "Investigators from national division, along with our counterparts ... have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners."
The suspect's computer equipment was seized during the arrest, authorities say. Solis-Reyes is scheduled to appear in court on July 17.
The Canada Revenue Agency reported on April 14 that 900 taxpayers had their Social Insurance numbers compromised in a breach stemming from a cyber-attacker exploiting the Heartbleed vulnerability in agency systems (see: Heartbleed Causes Breach in Canada).
"We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," Commissioner Andrew Treusch said in a statement. "Thanks to the dedicated support of Shared Services Canada and our security partners, the agency was able to contain the infiltration. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach."
In another breach involving Heartbleed, Mumsnet, a UK website for parents, forced all of its users to change their passwords after it discovered that a cyber-attacker had used the vulnerability to access data from users' accounts (see: Heartbleed Breach Reported in UK).
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).