Last week, the world was made aware of Heartbleed, a flaw in a widely used security protocol that affected (and still affects) an absurdly large portion of web traffic. On Tuesday, Canadian police arrested a 19-year-old man in Ontario for allegedly hacking into the country’s tax agency by using the exploit—the first such arrest since the flaw became public.

Stephen Solis-Reyes, a computer science student, allegedly used Heartbleed to breach the Canadian Revenue Agency. On Monday, the agency reported that 900 social insurance numbers had been compromised, though the intrusion was detected on Friday. The CRA held off advising people at the request of the Royal Canadian Mounted Police.

Solis-Reyes was arrested without incident, and faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data.

While many websites have already patched their OpenSSL implementations to protect against the exploit, the incident shows that many websites—even important ones—have not.