Skip to main content

Edmonton MLA admits to using premier's birth date to hack Alta. COVID-19 records system

Share

Edmonton-South MLA Thomas Dang says he used Alberta's premier's birth date in September to prove the government had "failed to implement the most basic security protocols" on its COVID-19 vaccination website by hacking it, and accessed a private citizen's information in the process.

In a white paper published Tuesday, Dang says he used Jason Kenney's birth date because it, as well as the premier's vaccination status, were already public and would be easily verifiable by the government.

At the time, the pieces of information were required by the government website to download a PDF version of an Albertan's proof of vaccination.

Dang is currently pursuing a computer science degree at Athabasca University.

Through hiding his IP address and writing a program to search for a personal health number, Dang found the health record of a person who had the same birthday and had received a vaccine in the same month as Kenney – but who was not Kenney.

Dang had not previously disclosed he gained access to a citizen's file.

In a news conference Tuesday, the now-independent MLA defended his actions as due diligence after hearing from a concerned constituent.

"I believe that as an MLA, it was my obligation, and indeed when it was reported to me by a member of the public that this vulnerability could exist, that I needed to verify it before I was able to make that report to the government," he told reporters.

"The rationale for using the premier's information … includes the premier is a high-profile person with publicly available information [who] would likely already be the target of this type of attack. I believed that would minimize the risk of further harm or any unnecessary information exposure."

DANG STANDS GROUND, HOUSE LEADER SEEKS REVIEW

Dang says upon accessing a member of the public's record, he immediately left the website without saving any information and notified the health ministry, offering what he saw as a solution.

RCMP launched an investigation in November and, the following month, searched Dang's home in relation to “suspicious activity related to unlawful access of private information related to the vaccination records portal.” Dang was neither arrested nor charged that day, but he did resign from the Alberta NDP.

When asked if he had any regrets, Dang said on Tuesday: "What I've done is I've provided and was able to assist Alberta Health and the Government of Alberta in ensuring that Albertans' personal and private information is more secure than it was before I performed the test."

He rejected his hacking was a form of vigilante justice. And, he insisted he followed the principles of responsible disclosure in computer security.

"I did not believe, and I still do not believe, honestly, the government would have accepted my help if I had offered it without proof there was an issue," Dang said.

"It's not even about a political process. It's not a partisan question. This is unacceptable behaviour from a member of the legislature," Government House Leader Jason Nixon fired back.

He plans to set up a committee to investigate how legislature staff and resources were used by Dang, including when and what the Official Opposition NDP knew about the breach.

"Particularly Rachel Notley needs to answer when she knew about this," Nixon said, disputing Dang's claim he directly contacted Alberta Health. "At no time does the Official Opposition or Rachel Notely indicate that a member of her caucus has been hacking government websites trying to get the premier's vaccination information."

Notley told reporters Tuesday that Dang had informed an NDP staff member that a vulnerability in the site had been discovered and confirmed, but she didn’t know about how it had been confirmed.

“Never at any time did I become aware of any personal information being accessed or did we receive any personal information,” said Notley.

Depending on what the committee finds, Nixon said Dang could be fined, barred from taking his legislature seat for a period, or expelled from the chamber.

"Forget about the politicians involved. A private citizen of Alberta's records were accessed by a member of the legislature through inappropriate means," Nixon said.

"It's not justifiable in any means."

GOVERNMENT NOT TAKING ADVICE OF 'ADMITTED HACKER'

Dang did not offer an apology to the person who shares a birthday with Kenney and received at least one COVID-19 vaccine shot in the same month as the premier, whose record Dang accessed in September.

"I'm not aware who this individual is and I didn't retain any of that information, so I have no way of contacting this person, even if I wanted to," the MLA told reporters.

He continued, "However, what I would say is that I believe the system exposed potentially every Albertan's information, and I want to say the Government of Alberta needed to do better," launching into a lecture on Alberta's need for more robust cyber security infrastructure.

According to Dang, the government fixed the vaccination records website one week after he found the flaw. He called it a security measure "so common that even self-taught and relatively untrained programmers know to implement this basic protection mechanism."

He plans to introduce a bill in the fall that would create a cyber defence office and disclosure program, to which vulnerabilities could be reported.

Nixon couldn't say if the government would take any action on cyber and information security this legislative session, but commented, "What I can tell you we will not be doing is getting an admitted hacker to tell us how to do the cyber security of the government."

CTV News Edmonton has reached out to the RCMP for updated comment. 

CTVNews.ca Top Stories

Suspect in shooting of Toronto cop was out on bail

A 21-year-old man who was charged with attempted murder in the shooting of a Toronto police officer this week was out on bail at the time of the alleged offence, court documents obtained by CTV News Toronto show.

Stay Connected