Student gets conditional 18-month sentence in CRA Heartbleed breach

Curiosity killed the cat, goes an old saying. A Western University student whose curiosity led him to break into the Canada Revenue Agency’s servers two years ago to see if they were vulnerable to the Heartbleed bug earned an 18-month conditional sentence, according to the National Post.

Stephen Solis-Reyes, currently a fourth-year computer science student and son of a the graduate chairman of Western’s computer science department, received that sentence Friday in an Ottawa court after pleading guilty to two charges of mischief (one for the Canada Revenue breach, the other for exposing security breaches at the former online arm of the Jersey Island’s postal service), one charge of unauthorized use of a computer and another of and obstructing a police officer by swiping information off a computer at his arrest. In exchange the prosecution dropped 13 other charges.

As a conditional sentence he’ll serve the first four months under house arrest, and the rest under supervision. He also must serve two years of probation, with 200 hours of community service ordered. If he breaks the terms of the conditions he could serve time in jail.

The publication quotes the the student’s lawyer telling the court that Solis-Reyes was able to get into the CRA systems in “six seconds.”

The Heartbleed vulnerability exploits a coding error in systems that use the open source OpenSLL libraries for encryption protection and leaves a portion of data in memory open.

Canada Revenue had to temporarily shut its systems after discovering that during a six-hour period between April 7, 2014 — when word about the vulnerability first surfaced — and April 8 — when Canada Revenue shut its tax filing site — social insurance numbers of 900 taxpayers were “removed” from its systems by exploiting Heartbleed. The shutdown came just as millions of Canadians were filing their income tax returns, forcing the government to extend the filing deadline. It took a few days for the government to scour its systems to ensure they were protected before bringing them back online.

A few days later Solis-Reyes’ was arrested. At the time the RCMP said it treated the breach as a high priority case.

According to the news report, one reason why Solis-Reyes received only a conditional sentence is that he didn’t try to sell any of the information he got his hands on.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now