A 19-year-old man is arrested and charged by Canadian police a who allegedly exploited the Heartbleed bug to steal personal data from the Canadian Revenue Agency’s website.
Stephen Arthuro Solis-Reyes, who allegedly grabbed 900 social insurance numbers (SINs) over a period of six hours, marks the first time that authorities have apprehended someone in relation to the bug in OpenSSL.
Solis-Reyes of London, Ontario is a student at Western University, was detained by the London Police Service and the Royal Canadian Mounted Police National Division Integrated Technological Crime Unit.
In a statement, Assistant Commissioner Gilles Michaud of the RCMP, said:
The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in “O” Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.
He is scheduled to appear in court in Ottowa on 17 July 2014.
Canada’s tax agency was one of the first major organizations to be impacted by the Heartbleed flaw and subsequently had to remove public access to its online services for four days in order to protect taxpayer information.
It’s unclear what Solis-Reyes’s motivations were. But it’s important to remember that while security researchers and other interested parties may like to think that testing for Heartbleed or other vulnerabilities may be ethical and useful in purpose, the law may not agree.
Such activity may not be regulated in every nation, but some countries certainly do prohibit the testing of security on third-party websites without permission.
Furthermore, it should be obvious that actually exploiting any discovered vulnerabilities in order to gain unauthorized access to networks and data is a bad idea at all times. More so if the organization in question is your national tax office.
If you do have legitimate concerns about a website’s security, the correct course of action would be to notify the owners and engage in responsible disclosure in a manner that doesn’t place other people’s data at jeopardy.