Edmonton MLA admits to using premier's birth date to hack Alta. COVID-19 records system
Edmonton-South MLA Thomas Dang says he used Alberta's premier's birth date in September to prove the government had "failed to implement the most basic security protocols" on its COVID-19 vaccination website by hacking it, and accessed a private citizen's information in the process.
In a white paper published Tuesday, Dang says he used Jason Kenney's birth date because it, as well as the premier's vaccination status, were already public and would be easily verifiable by the government.
At the time, the pieces of information were required by the government website to download a PDF version of an Albertan's proof of vaccination.
Dang is currently pursuing a computer science degree at Athabasca University.
Through hiding his IP address and writing a program to search for a personal health number, Dang found the health record of a person who had the same birthday and had received a vaccine in the same month as Kenney – but who was not Kenney.
Dang had not previously disclosed he gained access to a citizen's file.
In a news conference Tuesday, the now-independent MLA defended his actions as due diligence after hearing from a concerned constituent.
"I believe that as an MLA, it was my obligation, and indeed when it was reported to me by a member of the public that this vulnerability could exist, that I needed to verify it before I was able to make that report to the government," he told reporters.
"The rationale for using the premier's information … includes the premier is a high-profile person with publicly available information [who] would likely already be the target of this type of attack. I believed that would minimize the risk of further harm or any unnecessary information exposure."
DANG STANDS GROUND, HOUSE LEADER SEEKS REVIEW
Dang says upon accessing a member of the public's record, he immediately left the website without saving any information and notified the health ministry, offering what he saw as a solution.
RCMP launched an investigation in November and, the following month, searched Dang's home in relation to “suspicious activity related to unlawful access of private information related to the vaccination records portal.” Dang was neither arrested nor charged that day, but he did resign from the Alberta NDP.
When asked if he had any regrets, Dang said on Tuesday: "What I've done is I've provided and was able to assist Alberta Health and the Government of Alberta in ensuring that Albertans' personal and private information is more secure than it was before I performed the test."
He rejected his hacking was a form of vigilante justice. And, he insisted he followed the principles of responsible disclosure in computer security.
"I did not believe, and I still do not believe, honestly, the government would have accepted my help if I had offered it without proof there was an issue," Dang said.
"It's not even about a political process. It's not a partisan question. This is unacceptable behaviour from a member of the legislature," Government House Leader Jason Nixon fired back.
He plans to set up a committee to investigate how legislature staff and resources were used by Dang, including when and what the Official Opposition NDP knew about the breach.
"Particularly Rachel Notley needs to answer when she knew about this," Nixon said, disputing Dang's claim he directly contacted Alberta Health. "At no time does the Official Opposition or Rachel Notely indicate that a member of her caucus has been hacking government websites trying to get the premier's vaccination information."
Notley told reporters Tuesday that Dang had informed an NDP staff member that a vulnerability in the site had been discovered and confirmed, but she didn’t know about how it had been confirmed.
“Never at any time did I become aware of any personal information being accessed or did we receive any personal information,” said Notley.
Depending on what the committee finds, Nixon said Dang could be fined, barred from taking his legislature seat for a period, or expelled from the chamber.
"Forget about the politicians involved. A private citizen of Alberta's records were accessed by a member of the legislature through inappropriate means," Nixon said.
"It's not justifiable in any means."
GOVERNMENT NOT TAKING ADVICE OF 'ADMITTED HACKER'
Dang did not offer an apology to the person who shares a birthday with Kenney and received at least one COVID-19 vaccine shot in the same month as the premier, whose record Dang accessed in September.
"I'm not aware who this individual is and I didn't retain any of that information, so I have no way of contacting this person, even if I wanted to," the MLA told reporters.
He continued, "However, what I would say is that I believe the system exposed potentially every Albertan's information, and I want to say the Government of Alberta needed to do better," launching into a lecture on Alberta's need for more robust cyber security infrastructure.
According to Dang, the government fixed the vaccination records website one week after he found the flaw. He called it a security measure "so common that even self-taught and relatively untrained programmers know to implement this basic protection mechanism."
He plans to introduce a bill in the fall that would create a cyber defence office and disclosure program, to which vulnerabilities could be reported.
Nixon couldn't say if the government would take any action on cyber and information security this legislative session, but commented, "What I can tell you we will not be doing is getting an admitted hacker to tell us how to do the cyber security of the government."
CTV News Edmonton has reached out to the RCMP for updated comment.
CTVNews.ca Top Stories
From essential goods to common stocking stuffers, Trudeau offering Canadians temporary tax relief
Canadians will soon receive a temporary tax break on several items, along with a one-time $250 rebate, Prime Minister Justin Trudeau announced Thursday.
She thought her children just had a cough or fever. A mother shares sons' experience with walking pneumonia
A mother shares with CTVNews.ca her family's health scare as medical experts say cases of the disease and other respiratory illnesses have surged, filling up emergency departments nationwide.
Trump chooses Pam Bondi for attorney general pick after Gaetz withdraws
U.S. president-elect Donald Trump on Thursday named Pam Bondi, the former attorney general of Florida, to be U.S. attorney general just hours after his other choice, Matt Gaetz, withdrew his name from consideration.
Putin says Russia attacked Ukraine with a new missile that he claims the West can't stop
Russian President Vladimir Putin announced Thursday that Moscow has tested a new intermediate-range missile in a strike on Ukraine, and he warned that it could use the weapon against countries that have allowed Kyiv to use their missiles to strike Russia.
Here's a list of items that will be GST/HST-free over the holidays
Canadians won’t have to pay GST on a selection of items this holiday season, the prime minister vowed on Thursday.
Taylor Swift's motorcade spotted along Toronto's Gardiner Expressway
Taylor Swift is officially back in Toronto for round two. The popstar princess's motorcade was seen driving along the Gardiner Expressway on Thursday afternoon, making its way to the downtown core ahead of night four of ‘The Eras Tour’ at the Rogers Centre.
A one-of-a-kind Royal Canadian Mint coin sells for more than $1.5M
A rare one-of-a-kind pure gold coin from the Royal Canadian Mint has sold for more than $1.5 million. The 99.99 per cent pure gold coin, named 'The Dance Screen (The Scream Too),' weighs a whopping 10 kilograms and surpassed the previous record for a coin offered at an auction in Canada.
Service Canada holding back 85K passports amid Canada Post mail strike
Approximately 85,000 new passports are being held back by Service Canada, which stopped mailing them out a week before the nationwide Canada Post strike.
Manitoba RCMP issue Canada-wide warrant for Ontario semi-driver charged in deadly crash
Manitoba RCMP have issued a Canada-wide arrest warrant for the semi-driver involved in a crash that killed an eight-year-old girl and her mother.