In what appears to be the first arrest of its kind, a 19-year-old man has been arrested in Canada for exploiting the Heartbleed bug that had left thousands of websites vulnerable to data-mining.
According to a release from the Royal Canadian Mountain Police (RCMP), Stephen Arthuro Solis-Reyes of Ontario was arrested at his home on 15 April and agreed to cooperate with the authorities.
Now in police custody, Solis-Reyes faces one count of unauthorized use of computer and one count of mischief in relation to data under Canadian law.
The bug is widely considered one of the biggest security flaws on the internet in years as it bypasses the encryption software known as OpenSSL, used by most of the larger websites. While the issue has been addressed in most cases, some websites could still leave visitors open to important data like credit card information and passwords being extracted through the flaw.
Earlier this week, it became known that Tax ID numbers belonging to 900 taxpayers were stolen from the Canada Revenue Agency’s (CRA) systems by a hacker exploiting the Heartbleed vulnerability
This is the first documented case of an arrest by the RCMP’s National Division Integrated Technological Crime Unit (ITCU) specifically related to Heartbleed, and the arrest was given the go ahead after it was understood Solis-Reyes used it to obtain taxpayer data from the Canada Revenue Agency (CRA) website.
In their statement, assistant commissioner Gilles Michaud was quoted as saying: “The RCMP treated this breach of security as a high priority case and mobilised the necessary resources to resolve the matter as quickly as possible.
“Investigators from National Division, along with our counterparts in ‘O’ Division have been working tirelessly over the last four days analysing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.”
Password hacker image via Shutterstock