CBC photo illutsration
The RCMP's National Division has charged a 19-year-old London, Ont., man following the theft of 900 social insurance numbers from the Canada Revenue Agency in a web security breach linked to the Heartbleed bug.
Stephen Arthuro Solis-Reyes was arrested at his home on Tuesday without incident, RCMP said Wednesday.
The RCMP allege that Solis-Reyes was able to extract the private information from the CRA by exploiting the Heartbleed security vulnerability in the OpenSSL encryption software used by many internet servers.
He faces one count of unauthorized use of a computer and one count of mischief in relation to data.
The RCMP searched the suspect's residence and also seized computer equipment.
The CRA temporarily shut down some access to its website late on April 8 in response to security concerns about the Heartbleed bug. This security flaw in its website encryption left it vulnerable to hackers.
The CRA says it realized on Friday that 900 social insurance numbers had been stolen during a six-hour attack. The agency notified the privacy commissioner on Friday and referred the matter to the RCMP. But the breach was only made public on Monday. The RCMP said this week it had asked the CRA not to tell Canadians on Friday about the breach so the force could look into a "viable" lead in their investigation.
“The RCMP treated this breach of security as a high-priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” Assistant Commissioner Gilles Michaud said in a statement released Wednesday to announce the arrest.
Solis-Reyes is scheduled to appear in court in Ottawa on July 17 and could face a maximum of 10 years in prison if found guilty.
The RCMP said the investigation is ongoing.