I never meant harm, says student who hacked Canada Revenue to show vulnerability to Heartbleed virus

There’s an update to the hack of the Canada Revenue Agency, first disclosed in April 2014 and the young man who was charged in the case. Jane Sims reports:

A student computer whiz who stole 900 social insurance numbers from the files of the Canada Revenue Agency to demonstrate its online vulnerability pleaded guilty and apologized on Friday.

Two years ago, when Stephen Solis-Reyes of London, Ont., was 19, he stole the files to demonstrate the agency’s online vulnerability to the Heartbleed computer bug.

The result: a sudden, panicked shutdown of the CRA’s website for four days, which in turn lead to the extension of its tax-filing deadline by a week.

Solis-Reyes had a lot of support in Canada, where he is an outstanding and highly talented computer sciences student. He appears to be one of those kids whose talents need to be nurtured, his youthful transgressions forgiven, and let him get on with his life. The way he was interrogated, if accurate as alleged in the news report, was despicable. I realize law enforcement tends to view young hacktivists and hackers as criminals and possible terrorists, but that is no excuse for such inappropriate threats and treatment.

The court seemed to agree that Solis-Reyes should not be dealt with as a threat to national security or master criminal.

He was sentenced to an 18-month conditional sentence — the first four months under house arrest, the rest under supervision. He also must serve two years of probation, with 200 hours of community service ordered.

Okay, I think the house arrest is unnecessary and too harsh for a student, but at least he will not be in jail.

About the author: Dissent

3 comments to “I never meant harm, says student who hacked Canada Revenue to show vulnerability to Heartbleed virus”

You can leave a reply or Trackback this post.
  1. Jordana Ari - May 7, 2016

    As misguided as his intentions were to show lack of security in the system, he is only 21 years old. House arrest?

  2. Sting3r - May 9, 2016

    And how many violations and fines did the institute did the institutions receive for leave the doors open and the vulnerabilities not patched or misconfigured? It should be criminal negligence to not do the most possible to protect a persons data you house.

    • Jordana Ari - May 9, 2016

      100% agree with you.

Comments are closed.