Heartbleed exploit a reality for Canadian agency

Placeholder Image for Article Template

Law enforcement officials in Canada might have caught up with one of the "nefarious actors" the U.S. Department of Homeland Security warned was moving to exploit the Heartbleed OpenSSL flaw -- but not before he allegedly filched 900 Social Insurance Numbers from the Canadian tax authority's databases.

DHS' warning and the arrest in Canada were not directly linked, but they highlight the speed with which cybercriminals exploit vulnerabilities.

On April 16, the Royal Canadian Mounted Police announced that it had arrested a 19-year-old Ontario man for the malicious breach of taxpayer data from the Canada Revenue Agency (CRA) website via the Heartbleed flaw. Stephen Arthuro Solis-Reyes was arrested at his residence on April 15 without incident and is slated to appear in court in Ottawa on July 17.

"Based on our analysis to date, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," said CRA Commissioner Andrew Treusch in a statement released April 14.

On April 11, within hours of the Heartbleed flaw's disclosure, DHS' National Cybersecurity and Communications Integration Center warned through an unclassified but restricted memo that a trusted third party had seen exploit code on publicly available online outlets. It also said a number of underground forums were discussing the flaw, "which indicated interest from nefarious actors."

RCMP did not provide details on how Solis-Reyes accessed the data.

CRA shut down public access to its online services on April 8, saying those services were vulnerable to the flaw, and officials moved the deadline for Canadians to file their tax returns from April 30 to May 5. The U.S. Internal Revenue Service and other federal agencies maintained that their operations were not vulnerable to the flaw, and online services remained operational. Experts have said vulnerability to malicious exploitation can vary widely depending on systems' architecture and other factors.

Treusch said CRA is now fixing the problem. "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," he said. Before relaunching its online services on April 15, the agency "vigorously" tested its systems and implemented patches for the flaw, he added.

The agency has notified the people whose information was stolen, but instead of communicating through possibly exploitable email messages and telephone calls, Treusch said CRA sent a registered letter to each person affected. The agency has also established a free hotline to provide more information on how people can protect their Social Insurance Numbers.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.