The Canadian Mounties may have gotten their man.
Nineteen-year-old charged in Heartbleed attack case
Just five days after the Heartbleed virus was reported to have penetrated the Canadian Revenue Agency – the northern version of the US Internal Revenue Service – the Calgary Herald is reporting that a 19-year-old has been charged in the case. The hacker in question compromised the personal data of over 900 Canadian citizens, exposing their social security numbers.
Charges are “unauthorized use of a computer” and “mischief in relation to data”
Stephen Arthuro Solis-Reyes of London, Ontario has been officially charged with the attack, related to “unauthorized use of a computer” and “mischief in relation to data.” Solis-Reyes’ home was searched and his computer seized, according to reports. He is scheduled to appear in an Ottawa court July 17.
Solis-Reyes, whose father is a computer science professor at Western University, is said to have worked alone.
Brief window of opportunity
The attack on the Canadian Revenue Agency took place on Friday, just after the Heartbleed bug was made public. The government agency did patch their servers to protect against attack when the venerability was discovered, but not before Solis-Reyes accessed the server, according to the charges. In this brief window of opportunity, attackers were able to extract random bits of data from the computer server’s working memory. In the case of the Canadian Revenue Agency, this included sensitive financial information. It is unclear if sensitive data is typically stored in the server’s working memory.
The breach resulted in shuttering the service when it was discovered, but official announcement of the breach were not made public until early this week.
The Canadian government says it is still in the process of informing the close to 900 Canadian citizens who were affected by the breach.