The Royal Canadian Mounted Police said on Wednesday that Stephen Arthuro Solis-Reyes was arrested at his residence on Tuesday and is charged with unauthorised use of a computer and mischief in relation to data.
"It is believed that Solis-Reyes was able to extract private information held by the CRA by exploiting the security vulnerability known as the Heartbleed Bug," the Royal Canadian Mounted Police (RCMP) said in a statement.
A search of the residence resulted in the seizure of computer equipment used to steal 900 Canadian taxpayers' data, which was made vulnerable by the "Heartbleed" bug.
Solis-Reyes is a computer science student at Western University, a spokesperson for the university said.
Website shut down
The Canada Revenue Agency was forced to shut down its publicly accessible website on Friday as the world learned about the Heartbleed computer bug, a previously undiscovered global internet security vulnerability.
The Canada Revenue Agency said 900 social insurance numbers - personal nine-digit codes required for working or accessing government benefits in Canada - had been stolen last week by "someone exploiting the Heartbleed vulnerability".
The recently-discovered flaw in online-data scrambling software OpenSSL allows hackers to eavesdrop on online communications, steal data, impersonate websites and unlock encrypted data.
OpenSSL is commonly used to protect passwords, credit card numbers and other data sent via the internet.
Cybersecurity firm Fox-It estimates that the vulnerability has existed for about two years, since the version of OpenSSL at issue was released.