Heartbleed exploit a reality for Canadian agency

Placeholder Image for Article Template

Law enforcement officials in Canada might have caught up with one of the "nefarious actors" the U.S. Department of Homeland Security warned was moving to exploit the Heartbleed OpenSSL flaw -- but not before he allegedly filched 900 Social Insurance Numbers from the Canadian tax authority's databases.

DHS' warning and the arrest in Canada were not directly linked, but they highlight the speed with which cybercriminals exploit vulnerabilities.

On April 16, the Royal Canadian Mounted Police announced that it had arrested a 19-year-old Ontario man for the malicious breach of taxpayer data from the Canada Revenue Agency (CRA) website via the Heartbleed flaw. Stephen Arthuro Solis-Reyes was arrested at his residence on April 15 without incident and is slated to appear in court in Ottawa on July 17.

"Based on our analysis to date, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," said CRA Commissioner Andrew Treusch in a statement released April 14.

On April 11, within hours of the Heartbleed flaw's disclosure, DHS' National Cybersecurity and Communications Integration Center warned through an unclassified but restricted memo that a trusted third party had seen exploit code on publicly available online outlets. It also said a number of underground forums were discussing the flaw, "which indicated interest from nefarious actors."

RCMP did not provide details on how Solis-Reyes accessed the data.

CRA shut down public access to its online services on April 8, saying those services were vulnerable to the flaw, and officials moved the deadline for Canadians to file their tax returns from April 30 to May 5. The U.S. Internal Revenue Service and other federal agencies maintained that their operations were not vulnerable to the flaw, and online services remained operational. Experts have said vulnerability to malicious exploitation can vary widely depending on systems' architecture and other factors.

Treusch said CRA is now fixing the problem. "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," he said. Before relaunching its online services on April 15, the agency "vigorously" tested its systems and implemented patches for the flaw, he added.

The agency has notified the people whose information was stolen, but instead of communicating through possibly exploitable email messages and telephone calls, Treusch said CRA sent a registered letter to each person affected. The agency has also established a free hotline to provide more information on how people can protect their Social Insurance Numbers.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group