Canada sees first Heartbleed bug arrest

Canada has made the first Heartbleed bug arrest over the theft of data from the country's tax authority

Police have arrested a 19-year-old Canadian computer science student in connection with the theft of data from the country’s tax authority using the recently discovered Heartbleed bug.  

Stephen Arthuro Solis-Reyes of London, Ontario, is suspected of exploiting the OpenSSL vulnerability to steal 900 social insurance numbers from the Canada Revenue Agency (CRA) website.

The agency reported the data breach just days after security researchers announced their discovery of the programming error in certain versions of the OpenSSL encryption software.

The coding error can be exploited to harvest data from server memory, such as usernames, passwords and encryption keys.

On learning of the Heartbleed vulnerability, the CRA blocked public access to its online services only to discover its systems had already been breached.

The CRA is one of many organisations vulnerable to Heartbleed, despite robust controls, said agency commissioner Andrew Treusch in a statement.

“Thanks to the dedicated support of Shared Services Canada and our security partners, the agency was able to contain the infiltration before the systems were restored,” he said.

The CRA said no other breaches had been detected.

"It is believed Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug," the Royal Canadian Mounted Police said in a statement.

The RCMP, which has been investigating the breach for four days, charged Solis-Reyes with "unauthorised use of a computer" and "mischief in relation to data".

He is expected to appear in court in Ottawa on 17 July 2014.

Earlier this week, parenting website Mumsnet was reported to be the first known UK victim of hackers exploiting the Heartbleed bug.

The site revealed that a hacker claiming to have used the Heartbleed bug had accessed the passwords of some, and possibly all, of its 1.5 million users before the vulnerability was fixed.

Security experts believe more attacks will come to light as companies and governments work to determine if their systems are vulnerable and whether they have been breached.

Read more on Privacy and data protection