The Royal Canadian Mounted Police issued the first criminal charges related to the Heartbleed bug on Wednesday. Stephen Arthuro Solis-Reyes, a 19-year-old hacker living in London, Ontario, was accused of using Heartbleed to steal taxpayer data from the Canada Revenue Agency.
The CRA temporarily shut down its website last week after it determined that about 900 social insurance numbers were compromised within a six-hour window.
“Investigators from National Division, along with our counterparts in ‘O’ Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners,” Gilles Michaud, the assistant commission of the Mounties, said in a statement.
Solis-Reyes was arrested in his home on Tuesday and his computer equipment was seized.
The CRA said it implemented a patch to fix the Heartbleed bug and re-launched after “vigorous” tests. CRA commissioner Andrew Treusch said the agency will be securely contacting affected individuals to set up credit protections.
“As the commissioner of the CRA, I want to express regret to Canadians for this service interruption,” Treusch said in a statement, referencing the agency’s decision to delay its tax deadline from April 30 to May 5. “In particular, I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act.”
Solis-Reyes faces one count of “unauthorized use of computer” and one count of “mischief in relation to data.” He is scheduled to appear in an Ottawa court on July 17.
If Solis-Reyes is found guilty, he will likely go down as the first hacker connected with the bug, but will unlikely be the last.