Mounties get their man: Heartbleed breach suspect arrested


The Royal Canadian Mounted Police have arrested a 19-year-old Canadian man for a data breach at the Canada Revenue Agency in which the Heartbleed bug was exploited to steal social insurance numbers of 900 individuals.

The CRA was forced to shut down public access to its online services, a particular inconvenience as the deadline for Canadians to submit their income tax returns is April 30.

Stephen Arthuro Solis-Reyes was arrested on Tuesday at his London, Ontario, home without incident, the RCMP said in a statement.

"It is believed that Solis-Reyes was able to extract private information held by the CRA by exploiting the security vulnerability known as the Heartbleed Bug," the statement said.

The RCMP said it worked with other Canadian government agencies and the London Police Service in tracking down the suspect.   

The CRA data breach was one of the first confirmed cases of successful exploitation of the Heartbleed bug in the OpenSSL software used on around two-thirds of websites to encrypt data traffic.

The bug, which enables anyone to read the memory of the systems supposedly protected by the vulnerable OpenSSL software, was first identified by security firm Codenomicon earlier this month. However, German software developer Robin Seggleman, who worked on the OpenSSL software, said he knew of the bug two years ago.

The RCMP explained that they treated the CRA breach as a "high priority case and mobilized the necessary resources to resolve the matter as quickly as possible."

For more:
- check out the RCMP statement

Related Articles:
Heartbleed underscores need for open source bug bounties
Canadian tax agency, British parenting site become first confirmed Heartbleed victims
Heartbleed bug could bleed millions of usernames, passwords