Heartbleed hack case sees first arrest in Canada

Statement from the Canada Revenue Agency The Canada Revenue Agency said that more than 900 social insurance numbers had been stolen

Related Stories

A 19-year-old Canadian became the first person to be arrested in relation to the Heartbleed security breach.

Stephen Arthuro Solis-Reyes from London, Ontario was accused of hacking into the Canadian Revenue Agency (CRA)'s website last Friday by the Royal Canadian Mounted Police.

The RCMP say Mr Solis-Reyes then stole 900 social insurance numbers.

In a separate development, UK parenting site Mumsnet has provided fresh details about how it fell victim to the bug.

The site has published a post explaining how a hacker hijacked several accounts last week - including one belonging to Mumsnet's founder Justine Roberts - after exploiting the cryptology flaw to expose the owners' credentials.

"I hope the actions of hijacking Justine's account help draw attention to how big a deal this is," the hacker wrote on the social network.

"I suspect a lot of people would not have taken it seriously otherwise. Be thankful that the person who got access to the server information was kind enough to let you all know (and at least try and be funny with it) instead of simply sitting on the information."

Canada arrest

The Heartbleed bug was made public a week ago by Google and Codenomicon, a small Finnish security firm, which independently identified the problem.

The bug exploits a flaw in OpenSSL - a cryptographic software library used by services to keep data transmissions private.

Canada's tax agency was one of the first major organisations to cut services as a result the security flaw.

However, the action came too late.

"It is believed that [Mr] Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug," the RCMP said in a statement.

The RCMP, which has been investigating the breach for four days, charged Mr Solis-Reyes with "unauthorized use of a computer" and "mischief in relation to data".

He is expected to appear in court on 17 July 2014.

Security experts warn that more attacks could be revealed soon, as firms and governments work to determine whether or not their systems are vulnerable.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features

  • Cesc FabregasFair price?

    Have some football clubs overpaid for their new players?


  • Woman and hairdryerBlow back

    Would banning high-power appliances actually save energy?


  • Members of staff at James Stevenson Flags hold a Union Jack and Saltire flag UK minus Scotland

    Does the rest of the UK care if the Scots become independent?


  • Women doing ice bucket challengeChill factor

    How much has the Ice Bucket Challenge achieved?


  • Women in front of Windows XP posterUpgrade angst

    Readers share their experiences of replacing their operating system


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.