Young Man Charged in Heartbleed SIN Theft

The lawyer of a 19-year-old London, Ont., man charged with exploiting the Heartbleed bug to steal over 900 SIN numbers says his client has been devastated by the arrest.

Stephen Arthuro Solis-Reyes, a student at Western University and the son of Roberto Solis-Oba who teaches computer science at Western, was arrested late Tuesday afternoon. The RCMP says Solis-Reyes is charged with one count of unauthorized use of a computer and one count of mischief in relation to data.

Joseph said his client was too emotional to speak about the charges against him on Tuesday, and police haven’t told him anything, either.

"I don’t have any evidence," he said.

Joseph said Solis-Reyes voluntarily turned himself in to police on Tuesday after officers threatened to arrest him in the middle of one of his classes. Days earlier, Joseph said, RCMP officers served a warrant at Solis-Reyes’s house at around 1 a.m., but left without advising of a charge.

"He didn’t hear anything until yesterday," Joseph said, adding his client feels "sucker-punched."

Joseph also alleges police kept Solis-Reyes in custody for over five hours without access to a lawyer on Tuesday, something he said he’ll file a complaint about.

Solis-Reyes is set to appear in an Ottawa court on July 17, when the RCMP is set to lay out its case against him.

Until then, Joseph said, Solis-Reyes’s family has been "absolutely devastated" by the charges.

The RCMP allege that Solis-Reyes was able to extract the private information from the Canada Revenue Agency by exploiting the Heartbleed security vulnerability in the OpenSSL encryption software used by many internet servers.

Computer equipment was seized from Solis-Reyes’s home, the RCMP said.

The CRA temporarily shut down some access to its website late on April 8 in response to security concerns about the Heartbleed bug. This security flaw in its website encryption left it vulnerable to hackers.

The CRA says it realized last Friday that 900 social insurance numbers had been stolen during a six-hour attack. The agency notified the privacy commissioner on Friday and referred the matter to the RCMP. But the breach was only made public on Monday.

On Wednesday, Communications Security Establishment Canada, the government agency responsible for cybersecurity, said it learned of the Heartbleed bug when a global security alert went out — a full day before the federal government issued a public warning and parts of the Canada Revenue Agency website were temporarily shut down.

The RCMP said this week it had asked the CRA not to tell Canadians on Friday about the breach so the force could look into a "viable" lead in their investigation.