Edmonton MLA admits to using premier's birth date to hack Alta. COVID-19 records system
Edmonton-South MLA Thomas Dang says he used Alberta's premier's birth date in September to prove the government had "failed to implement the most basic security protocols" on its COVID-19 vaccination website by hacking it, and accessed a private citizen's information in the process.
In a white paper published Tuesday, Dang says he used Jason Kenney's birth date because it, as well as the premier's vaccination status, were already public and would be easily verifiable by the government.
At the time, the pieces of information were required by the government website to download a PDF version of an Albertan's proof of vaccination.
Dang is currently pursuing a computer science degree at Athabasca University.
Through hiding his IP address and writing a program to search for a personal health number, Dang found the health record of a person who had the same birthday and had received a vaccine in the same month as Kenney – but who was not Kenney.
Dang had not previously disclosed he gained access to a citizen's file.
In a news conference Tuesday, the now-independent MLA defended his actions as due diligence after hearing from a concerned constituent.
"I believe that as an MLA, it was my obligation, and indeed when it was reported to me by a member of the public that this vulnerability could exist, that I needed to verify it before I was able to make that report to the government," he told reporters.
"The rationale for using the premier's information … includes the premier is a high-profile person with publicly available information [who] would likely already be the target of this type of attack. I believed that would minimize the risk of further harm or any unnecessary information exposure."
DANG STANDS GROUND, HOUSE LEADER SEEKS REVIEW
Dang says upon accessing a member of the public's record, he immediately left the website without saving any information and notified the health ministry, offering what he saw as a solution.
RCMP launched an investigation in November and, the following month, searched Dang's home in relation to “suspicious activity related to unlawful access of private information related to the vaccination records portal.” Dang was neither arrested nor charged that day, but he did resign from the Alberta NDP.
When asked if he had any regrets, Dang said on Tuesday: "What I've done is I've provided and was able to assist Alberta Health and the Government of Alberta in ensuring that Albertans' personal and private information is more secure than it was before I performed the test."
He rejected his hacking was a form of vigilante justice. And, he insisted he followed the principles of responsible disclosure in computer security.
"I did not believe, and I still do not believe, honestly, the government would have accepted my help if I had offered it without proof there was an issue," Dang said.
"It's not even about a political process. It's not a partisan question. This is unacceptable behaviour from a member of the legislature," Government House Leader Jason Nixon fired back.
He plans to set up a committee to investigate how legislature staff and resources were used by Dang, including when and what the Official Opposition NDP knew about the breach.
"Particularly Rachel Notley needs to answer when she knew about this," Nixon said, disputing Dang's claim he directly contacted Alberta Health. "At no time does the Official Opposition or Rachel Notely indicate that a member of her caucus has been hacking government websites trying to get the premier's vaccination information."
Notley told reporters Tuesday that Dang had informed an NDP staff member that a vulnerability in the site had been discovered and confirmed, but she didn’t know about how it had been confirmed.
“Never at any time did I become aware of any personal information being accessed or did we receive any personal information,” said Notley.
Depending on what the committee finds, Nixon said Dang could be fined, barred from taking his legislature seat for a period, or expelled from the chamber.
"Forget about the politicians involved. A private citizen of Alberta's records were accessed by a member of the legislature through inappropriate means," Nixon said.
"It's not justifiable in any means."
GOVERNMENT NOT TAKING ADVICE OF 'ADMITTED HACKER'
Dang did not offer an apology to the person who shares a birthday with Kenney and received at least one COVID-19 vaccine shot in the same month as the premier, whose record Dang accessed in September.
"I'm not aware who this individual is and I didn't retain any of that information, so I have no way of contacting this person, even if I wanted to," the MLA told reporters.
He continued, "However, what I would say is that I believe the system exposed potentially every Albertan's information, and I want to say the Government of Alberta needed to do better," launching into a lecture on Alberta's need for more robust cyber security infrastructure.
According to Dang, the government fixed the vaccination records website one week after he found the flaw. He called it a security measure "so common that even self-taught and relatively untrained programmers know to implement this basic protection mechanism."
He plans to introduce a bill in the fall that would create a cyber defence office and disclosure program, to which vulnerabilities could be reported.
Nixon couldn't say if the government would take any action on cyber and information security this legislative session, but commented, "What I can tell you we will not be doing is getting an admitted hacker to tell us how to do the cyber security of the government."
CTV News Edmonton has reached out to the RCMP for updated comment.
CTVNews.ca Top Stories
Canadian family stuck in Lebanon anxiously awaits flight options amid Israeli strikes
A Canadian man who is trapped in Lebanon with his family says they are anxiously waiting for seats on a flight out of the country, as a barrage of Israeli airstrikes continues.
Suspect in shooting of Toronto cop was out on bail
A 21-year-old man who was charged with attempted murder in the shooting of a Toronto police officer this week was out on bail at the time of the alleged offence, court documents obtained by CTV News Toronto show.
Scientists looked at images from space to see how fast Antarctica is turning green. Here's what they found
Parts of icy Antarctica are turning green with plant life at an alarming rate as the region is gripped by extreme heat events, according to new research, sparking concerns about the changing landscape on this vast continent.
DEVELOPING 2 dead after fire rips through historic building in Old Montreal
At least two people are dead and others are injured after a fire ripped through a century-old building near Montreal's City Hall, sources told Noovo Info.
Yazidi woman captured by ISIS rescued in Gaza after more than a decade in captivity
A 21-year-old Yazidi woman has been rescued from Gaza where she had been held captive by Hamas for years after being trafficked by ISIS.
A 6-year-old girl was kidnapped in Arkansas in 1995. Almost 30 years later, a suspect was identified
Nearly 30 years after a six-year-old girl disappeared in Western Arkansas, authorities have identified a suspect in her abduction through DNA evidence.
Dolphins 'smile' at each other when they play and to avoid misunderstanding, study finds
For humans, flashing a smile is an easy way to avoid misunderstanding. And, according to a new study, bottlenose dolphins may use a similar tactic while playing with each other.
Pit bulls in B.C. pet mauling tested positive for meth, cocaine, says city
Three pit bulls involved in a deadly attack on another dog last month in Kamloops, B.C., tested positive for methamphetamine and cocaine, and the city is going to court to have them put down.
Tax rebate: Canadians with low to modest incomes to receive payment on Friday
Canadians who are eligible for a GST/HST tax credit can expect their final payment of the year on Friday.