Stephen Arthuro Solis-Reyes charged in Heartbleed-related SIN theft

The lawyer of a 19-year-old London, Ont., man charged with exploiting the Heartbleed bug to steal over 900 SIN numbers says his client has been devastated by the arrest.

Western University student Stephen Arthuro Solis-Reyes, 19, arrested in London, Ont.

Stephen Arthuro Solis-Reyes, 19, of London, Ont., has been charged with the theft of over 900 SIN numbers. Police allege he exploited the Heartbleed bug to attain the personal data. ((2011-12 Mother Teresa Catholic secondary school yearbook))

The lawyer of a 19-year-old London, Ont., man charged with exploiting the Heartbleed bug to steal over 900 SIN numbers says his client has been devastated by the arrest.

Stephen Arthuro Solis-Reyes, a student at Western University and the son of Roberto Solis-Oba who teaches computer science at Western, was arrested late Tuesday afternoon. The RCMP says Solis-Reyes is charged with one count of unauthorized use of a computer and one count of mischief in relation to data.

"He is an A student and a very, very bright young man," Solis-Reyes’s lawyer, Faisal Joseph, said.

Joseph said his client was too emotional to speak about the charges against him on Tuesday, and police haven’t told him anything, either.

"I don’t have any evidence," he said.

Joseph said Solis-Reyes voluntarily turned himself in to police on Tuesday after officers threatened to arrest him in the middle of one of his classes. Days earlier, Joseph said, RCMP officers served a warrant at Solis-Reyes’s house at around 1 a.m., but left without advising of a charge.

"He didn’t hear anything until yesterday," Joseph said, adding his client feels "sucker-punched."

Joseph also alleges police kept Solis-Reyes in custody for over five hours without access to a lawyer on Tuesday, something he said he’ll file a complaint about.

Solis-Reyes is set to appear in an Ottawa court on July 17, when the RCMP is set to lay out its case against him.

Until then, Joseph said, Solis-Reyes’s family has been "absolutely devastated" by the charges.

The RCMP allege that Solis-Reyes was able to extract the private information from the CRA by exploiting the Heartbleed security vulnerability in the OpenSSL encryption software used by many internet servers.

Computer equipment was seized from Solis-Reyes’s home, the RCMP said.

Website shutdown

The CRA temporarily shut down some access to its website late on April 8 in response to security concerns about the Heartbleed bug. This security flaw in its website encryption left it vulnerable to hackers.

The CRA says it realized last Friday that 900 social insurance numbers had been stolen during a six-hour attack. The agency notified the privacy commissioner on Friday and referred the matter to the RCMP. But the breach was only made public on Monday.

On Wednesday, Communications Security Establishment Canada, the government agency responsible for cybersecurity, told CBC News it learned of the Heartbleed bug when a global security alert went out — a full day before the federal government issued a public warning and parts of the Canada Revenue Agency website were temporarily shut down.

The RCMP said this week it had asked the CRA not to tell Canadians on Friday about the breach so the force could look into a "viable" lead in their investigation. 

"The RCMP treated this breach of security as a high-priority case and mobilized the necessary resources to resolve the matter as quickly as possible," Assistant Commissioner Gilles Michaud said in a statement released Wednesday to announce the arrest.

Solis-Reyes could face a maximum of 10 years in prison if found guilty.

The RCMP said the investigation is ongoing.