Alberta MLA Thomas Dang defends his decision to hack provincial COVID-19 vaccine records system - Action News
Home WebMail Friday, November 22, 2024, 02:30 PM | Calgary | -10.4°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Edmonton

Alberta MLA Thomas Dang defends his decision to hack provincial COVID-19 vaccine records system

Independent MLA Thomas Dang admits he used basic encryption tools and the premiers birthdateto hack Albertas COVID-19 vaccine records website last year.

Government House leader Jason Nixon says he will call for an investigation

Alberta MLA Thomas Dang says he accessed a stranger's COVID-19 vaccination records last year but immediately informed a member of the NDP caucus staff that the site's security was compromised. (Trevor Wilson/CBC)

Independent MLA Thomas Dangsayshe used basic encryption tools and the premier'sbirthdateto hack Alberta's COVID-19 vaccine records website last year, an admission that led to questions Tuesday about how the government was informed ofthe breach.

On his website Tuesday, the Edmonton-South MLA described actions that prompted his departure from the NDP caucus and made him the subject of an ongoing RCMP investigation.

"As an MLA, I believed I had an obligation to verify if such a negligent vulnerability could exist," Dang wrote in a report titled How I Did It."In conducting this test, I was acting in the public interest and within my role as an MLA."

Dang said he accessed a stranger's COVID-19 vaccination records but immediately informed a member of the NDP caucus staff that the site's security was compromised.

A party spokesperson confirmed Tuesday that Dang informed a caucus staffer of potential problems with the records websiteon the morning of Sept. 23 and thatthe health minister's office was informed laterthat morning by phone and by email.

Health Minister Jason Copping told reporters Tuesday that his department already knew about the vulnerability by the time the NDP told his office on Sept.23.

Alberta Health was informed by the technology developer that the portal was "coming under cyberattack"before the correspondence of Sept. 23 was received,a press secretary for the Minister of Service Albertasaid in a statement to CBC News.

"That correspondence cited a suggestionfrom an unnamed partythat there was a security risk ...The information provided was minimal, and did not inform any specific changes."

Dang said the breach shows that Alberta's information technology (IT) infrastructure is vulnerable.He's calling on the province to establish protocols and a digital security office to better protect its IT systems from cyberattacks.

Nixon wants investigation

Dang held a news conference Tuesday about his hacking.Government House leader Jason Nixon showed up and told reporters he wants aninvestigation into Dang's actions and those of the NDP.

Nixon said he plans to put forward a motion in the legislaturecalling for an internal investigation that would likely be led by the special standing committee on members' services.

"I am quite shocked today, frankly, by some of MLA Dang's comments," Nixon said.

"Yes, somebody from the NDP staff did contact the government at some point, indicating that they had heard from an anonymous person that there may have been a situation with a website," he said.

"But at no time did the Official Opposition or Mr. Dang indicate that it was him who was hacking websites."

During the news conference,Dang defended his actions.Hesaid he didn'thave permission to perform a security assessment but decided to act on his own because he didn't believe the province would have accepted his help unless he was able to first prove there was a problem.

'Outrageous violation of privacy': Kenney

Dang resigned from the NDP caucus in December after RCMP executed asearch warrant at hishome. An investigation led by the Alberta RCMP Cybercrime Investigative Team is ongoing but no charges have been laid, RCMP spokesperson Fraser Logan saidTuesday.

Later, during aheated question period, Premier Jason Kenney called on NDP Leader Rachel Notley to take full responsibilityfor the breach.

"Who else's private informationdid the NDP seek to hack into?" Kenney said. "And what did the leader of the NDP know about this outrageousviolationof privacy?"

Notley said Dang was asked to leave the NDP caucus as soon as he fell underRCMP investigation.

"That's a clear indication of how we see this behaviour," Notley said. "That is why we asked him to leave and under no circumstances will he be coming back while this is an active matter."

When Dang raisedpossible problems with the website, the health minister was immediatelyinformed but she and other caucus members werenot aware of the details, Notley said. She said the NDP caucus wasn't told that any personal files had been accessed.

"[Dang] didn't alert us that he had hacked the website," Notley said."There had been an online conversation about the vulnerability of the website and he said, 'I have confirmed this to be true' ... I was told after the fact and I thought it was done."

In his report on his actions, Dang, who has a background in cybersecurity and computer science, said he orchestrated the breach soon after Alberta's vaccine records website launched last September.

The site allowed Albertans to download their vaccine records as unlocked PDFs, leading to concerns the documents could be easily forged.

The problem with the PDFs got fixed but Dang said he received a complaint from a member of the public who was concerned about a different weakness in the system.

"The website appeared to lack security features that would prevent a malicious attacker from scraping the website for the personal health information of Albertans," Dang wrote.

The breach

Dang said he first tried to hack the system by punching in random dates and health numbers.

After five attempts, his internet protocol (IP) address was blocked. Dang said he bypassed the block using a widely available program or script and regain access to the website..

He then began using his own information to test the site, but laterdecided to use Kenney's birth and vaccination dates instead, as Kenney's information was public and could be verified by government officials if a breach was found.

He said he wrote an automated program to test the system. Using it, he found the record of a person who shared Kenney's birthday and had received a vaccine in the same month as the premier.

"As soon as I was aware that a record had been found, I immediately stopped the script. I then verified that the record was valid by requesting the record from the website," Dang wrote.

"When I saw that the record belonged to an individual that was not the premier and was also unknown to me, I immediately exited the website and did not save any information."

Dang said that after healerted NDP caucus staff and the information was relayed to Alberta Health, the province released a new version of the websitewithin a week. The new version fixed the flaw he had identified, he said.

Dang said he plans to table a private member's bill to establish a new office focusing on the security and defence of Alberta's digital infrastructure.

He said he is co-operating with the RCMP investigation and remains hopeful that charges will not be laid.

With files from Michelle Bellefontaine