RCMP arrest 19-year-old Western University student over Heartbleed SIN theft from CRA systems

RCMP arrest 19-year-old Western University student over Heartbleed SIN theft from CRA systems

RCMP’S National Division Integrated Technological Crime Unit (ITCU) has charged a 19-year-old London, Ontario Stephen Arthuro Solis-Reyes of London, Ontario, in relation to the malicious breach of taxpayer data from the Canada Revenue Agency (CRA) website.

The RCMP announced on Wednesday that Solis-Reyes was arrested at his residence on Tuesday without incident. The Western University computer science student faces one count of unauthorized use of computer and one count of mischief in relation to data.

They said: “It is believed that Solis-Reyes was able to extract private information held by the CRA by exploiting the security vulnerability known as the Heartbleed Bug.”

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in “O” Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners,” said Assistant Commissioner Gilles Michaud.

A search was conducted at the suspect’s residence and computer equipment was seized.

The success of this investigation reflects the collaborative efforts of the RCMP and other government agencies as well as the London Police Service.

This investigation was conducted as part of the ITCU’s mandate to investigate pure computer crimes where the federal government and / or Canadian critical IT infrastructure are victimized.

National Division’s mandate is to focus its expertise in sensitive, high-risk investigations into significant threats to Canada’s political, economic and social integrity.

The investigation is still ongoing. The RCMP said they were committed to advising Canadians of any significant developments in this case.


CANADA Revenue Agency Commissioner Andrew Treusch had announced Monday that Social Insurance Numbers (SIN) of about 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability.

Treusch said he informed the Privacy Commissioner of Canada of the breach on April 11 and that the RCMP are investigating.


Here is Treusch’s full statement:

AFTER learning that the Canada Revenue Agency (CRA) systems were vulnerable to the Heartbleed bug, the CRA acted quickly to protect taxpayer information by removing public access to its online services on April 8, 2014.

Since then, the CRA worked around the clock to implement a “patch” for the bug, vigorously test all systems to ensure they were safe and secure, and re-launch our online services late yesterday [Sunday].

Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.

Beginning today, the Agency is putting in place measures to support and protect the individuals affected by the breach. Each person will receive a registered letter to inform them of the breach. A dedicated 1-800 number has also been set up to provide them with further information, including what steps to take to protect the integrity of their SIN. The Agency will not be calling or emailing individuals to inform them that they have been impacted – we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes.

The CRA will also provide those who have been affected with access to credit protection services at no cost. And we will apply additional protections to their CRA accounts to prevent any unauthorized activity.
On April 11, 2014, I informed the Privacy Commissioner of Canada of the breach. The RCMP is investigating.

As the Commissioner of the CRA, I want to express regret to Canadians for this service interruption. In particular, I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act.

CRA online services are safe and secure. The CRA responded aggressively to successfully protect our systems. We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards.

I know that all employees of the Canada Revenue Agency join me in appreciation for the cooperation and patience of the public, businesses and representatives as we resolved this situation.