A Western University computer science student has been charged in connection with a breach of the Canada Revenue Agency’s website.
The RCMP said in a news release that it has charged Stephen Arthuro Solis-Reyes, 19, of London, Ont., with one count of unauthorized use of a computer, and one count of mischief in relation to data.
“It is believed that Solis-Reyes was able to extract private information held by the CRA by exploiting the security vulnerability known as the Heartbleed bug,” said the RCMP’s National Division Integrated Technological Crime Unit in the release issued Wednesday.
“The RCMP treated this breach of security as a high-priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” said assistant commissioner Gilles Michaud in the release.
A search was conducted at the suspect’s residence and computer equipment was seized, the RCMP said.
Faisal Joseph, a senior partner at Lerners law firm, which represents Solis-Reyes, said his client went to meet RCMP officers on Tuesday afternoon at the London police headquarters.
“He turned himself in voluntarily after he was threatened that if he did not, because they did not have a warrant for him . . . they would humiliate him and pull him out of exams at university, if he didn’t go voluntarily,” Joseph said in a telephone interview jail records.
RELATED: Identity theft on the rise, experts warn
Password savvy: How to protect yourself from hackers
Joseph accused the RCMP of denying him access to his client, for nearly six hours after initially being advised Solis-Reyes, an A student in his second year, would be released within 10 minutes.
“To my shock and surprise, the RCMP lead investigator refused to allow me to see my own client,” Joseph said, noting Solis-Reyes was shuttled back and forth between a small interview room and a cell.
“He was interrogated for almost six hours, with his lawyer demanding to see him every half hour, for almost six hours,” Joseph said.
Joseph waited with Solis-Reyes’ father, Roberto Solis-Oba, an associate professor at Western’s computer science department, at London’s police headquarters.
Joseph said his client’s father was deeply distraught and was “an emotional wreck” during the wait to speak with Solis-Reyes.
Solis-Reyes was eventually released just before 11 p.m. and formally charged. He is to appear in an Ottawa court on July 17.
Joseph added he does not know what evidence there is, and he won’t get disclosure until July.
When asked whether Solis-Reyes would write his final exams this week, Joseph said he did not know, given he has been through a harrowing experience.
When asked whether Joseph would be filing a complaint, he said: “I will definitely be following up and taking the appropriate action with respect to how my client was treated in custody, and how I was denied access to him for hours, after he called me from the police headquarters.”
The RCMP declined to comment on Joseph’s allegations.
“The investigation is still ongoing and in order to protect the integrity of the investigation we will not be commenting any further,” RCMP spokesperson Cpl. Lucy Shorey said in an email.
The RCMP investigation was conducted with the co-operation of the London Police Service.
Heartbleed is a massive security flaw that, by some estimates, affects two-thirds of all websites.
IT security experts believe that it allowed pulses of unencrypted data — including names, passwords, credit card numbers and other personal information — to leak out of computer servers for as long as two years, undetected.
The flaw and a patch to fix the leak, one line of computer code, were released by researchers last week.
Major websites, including Google and Yahoo, along with Google smartphones and networking equipment makers Cisco Systems Inc. and Juniper Networks, said their systems were at risk.
CRA shut down public access to its website for five days last week, with the April 30 income tax deadline looming, to fix the problem and test its system criminal record checks.
This week, after it restored its website, the CRA announced it was notifying 900 Canadians that their social insurance numbers were removed from its system as a result of the Heartbleed bug flaw.
The RCMP then announced that it was investigating.
Experts say it’s too early to know to what extent the defect was used by hackers and thieves to steal sensitive personal information.
Publicity over the bug drew in security experts, would-be hackers, and those who were simply curious, Carmi Levy, a technology analyst and journalist said in an interview.
Instructions for breaching computer servers and websites compromised by Heartbleed were easily available online, Levy added.
“It’s still early days and we don’t know the details,” Levy said. “But I would be incredibly surprised if this were a case of a hardcore hacker deliberately attacking a system. This has all the signatures of curiosity and going along with the big IT security story of the day.”
Tax agency begins to ‘support and protect’ 900 people whose SIN numbers were stolen