Heartbleed hacking bust in Canada?


If this story from the Calgary Herald holds up, it will be among the first documented instance of a hacker exploiting the Heartbleed Internet security flaw – currently festering on hundreds of thousands of websites – to steal sensitive information:

Police have charged a 19-year-old man from London, Ont., in connection with the loss of taxpayer data from the Canada Revenue Agency website.

Stephen Arthuro Solis-Reyes was arrested at his residence Tuesday and is charged with unauthorized use of a computer and mischief in relation to data, the RCMP said Wednesday.

A search of the residence resulted in the seizure of computer equipment.

The agency was forced to shut down its publicly accessible website Friday as the world learned about the Heartbleed computer bug, a previously undiscovered global Internet security vulnerability.

Other government computer sites were also temporarily taken down over the weekend.

On Monday, the agency said 900 social insurance numbers had been compromised.

The loss was detected Friday, but the agency delayed telling Canadians about it at the request of the RCMP.

The police said the delay allowed them to pursue their investigation through the weekend and helped track down a suspect.

The article references Heartbleed several times, but I don’t see any expert testimony that Solis-Reyes definitely used it to accomplish his data heist.  Fingers have been crossed that the vulnerability would be resolved before hackers discovered it and wreaked havoc; a confirmed large-scale hack would dash those hopes, because updates to the compromised Secure Socket Layer software have not been fully distributed yet.  Some compromised systems are so large that five-day precautionary shutdowns may not be feasible.