Police have arrested a 19-year-old Canadian computer science student in connection with the theft of data from the country’s tax authority using the recently discovered Heartbleed bug.
The agency reported the data breach just days after security researchers announced their discovery of the programming error in certain versions of the OpenSSL encryption software.
The coding error can be exploited to harvest data from server memory, such as usernames, passwords and encryption keys.
On learning of the Heartbleed vulnerability, the CRA blocked public access to its online services only to discover its systems had already been breached.
The CRA is one of many organisations vulnerable to Heartbleed, despite robust controls, said agency commissioner Andrew Treusch in a statement.
“Thanks to the dedicated support of Shared Services Canada and our security partners, the agency was able to contain the infiltration before the systems were restored,” he said.
The CRA said no other breaches had been detected.
"It is believed Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug," the Royal Canadian Mounted Police said in a statement.
Read more on Heartbleed
- Heartbleed repairs threaten to cripple the internet
- Mumsnet becomes first known UK victim of Heartbleed bug
- Canada Revenue Agency reports Heartbleed data theft
- Heartbleed denial reveals loophole for NSA spying
- Cisco and Juniper warn of products hit by Heartbleed bug
- The Heartbleed genie is out of the bottle – now what?
- EFF calls for rapid mitigation of Heartbleed internet bug
- OpenSSL vulnerability 'Heartbleed' may have exposed encrypted traffic
- OpenSSL security flaw could affect millions of websites, warn researchers
The RCMP, which has been investigating the breach for four days, charged Solis-Reyes with "unauthorised use of a computer" and "mischief in relation to data".
He is expected to appear in court in Ottawa on 17 July 2014.
Earlier this week, parenting website Mumsnet was reported to be the first known UK victim of hackers exploiting the Heartbleed bug.
The site revealed that a hacker claiming to have used the Heartbleed bug had accessed the passwords of some, and possibly all, of its 1.5 million users before the vulnerability was fixed.
Security experts believe more attacks will come to light as companies and governments work to determine if their systems are vulnerable and whether they have been breached.