Hacker charged in CRA Heartbleed breach ‘straight-A’ engineering student

TORONTO – Police have charged a 19-year-old man in relation to the security breach on the Canada Revenue Agency’s website, which resulted in roughly 900 social insurance numbers being stolen.

RCMP arrested Stephen Arthuro Solis-Reyes, of London, Ont., at his home on April 15. He faces one count of “Unauthorized Use of Computer” and one count of mischief. Police also seized of computer equipment during a search of Solis-Reyes’ home.

Solis-Reyes’ lawyer, Faisal Joseph of Lerners Law Firm, described the teen as a “straight-A” second year engineering student at Western University. He said Solis-Reyes’ father, a computer science professor at Western, was an “emotional wreck” over the charges.

The 19-year-old  is listed as a 1500 metre runner on multiple London, Ont. running websites.

Joseph confirmed to Global News that Solis-Reyes voluntarily turned himself into police and has since been released on conditions.

Story continues below advertisement

READ MORE: SINs stolen from CRA website prompt identity theft concerns

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in “O” Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners,” said assistant commissioner Giles Michaud in a written statement.

Yearbook photo of Stephen Solis-Reyes. File Photo

The CRA revealed Monday that roughly 900 social insurance numbers were stolen after the federal agency’s website was crippled by the Heartbleed bug. The agency has not yet said whether any other personal information was stolen.

Those affected by the security breach will be notified with a registered letter and will have free access to credit protection services.

Story continues below advertisement

READ MORE: Police asked CRA to delay telling the public about stolen SINs

The CRA shut down its electronic filing services April 9, a day after the Heartbleed vulnerability was made public.

Kellman Meghu, head of security engineering at Checkpoint Software Technologies, said Tuesday that Canadians’ information may have been put at risk from the CRA’s delay in taking its services offline.

“I’m afraid [information] would have been at risk,” Kellman said during a live blog hosted by Global News on Tuesday.

“The CRA is dealing with many servers – it would take them time to validate all their systems, which means there was time for other people to discover it was open to Heartbleed as well.”

Solis-Reyes is scheduled to appear in court in Ottawa on July 17.

Sponsored content