The charges come after the CRA reported that 900 social insurance numbers were stolen in a web security breach due to the Heartbleed bug.
Stephen Arthuro Solis-Reyes was arrested at his home on Tuesday without incident, RCMP said Wednesday.
The RCMP allege that Solis-Reyes was able to extract the private information from the CRA by exploiting the security vulnerability known as the Heartbleed bug.
He faces one count of unauthorized use of a computer and one count of mischief in relation to data.
The RCMP conducted a search of the suspect's residence and seized computer equipment.
The CRA temporarily shut down some access to its website in response to security concerns about the Heartbleed bug. This security flaw in its website encryption left it vulnerable to hackers.
The CRA realized on Friday that 900 social insurance numbers has been stolen during a six-hour attack. The agency notified the privacy commissioner on Friday and referred the matter to the RCMP. The breach was only made public on Monday.
“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” Assistant Commissioner Gilles Michaud said in the statement.
Solis-Reyes is scheduled to appear in court in Ottawa on July 17 and could face a maximum of 10 years in prison if found guilty.
The RCMP said the investigation is still ongoing.