Independent MP Thomas Dang says he used basic encryption tools – and the premier’s date of birth – to hack into Alberta’s COVID-19 vaccination records website last year, an admission which led to questions on Tuesday about how the government was informed of the breach.
On his website Tuesday, the MP for Edmonton South described the actions that led him to quit the NDP caucus and make him the subject of an ongoing RCMP investigation.
“As an MP, I felt I had an obligation to check whether such negligent vulnerability could exist,” Dang wrote in a report titled How I did it. “In carrying out this test, I was acting in the public interest and within the framework of my role as an MP.”
Dang said he viewed a stranger’s COVID-19 vaccination records, but immediately informed an NDP caucus staffer that the site’s security was compromised.
A party spokesperson confirmed on Tuesday that Dang informed a caucus staffer of potential issues with the archives website on the morning of September 23 and that the health minister’s office was informed later that morning. by telephone and e-mail.
Health Minister Jason Copping told reporters Tuesday that his department was already aware of the vulnerability when the NDP informed his office on September 23.
Dang said the breach shows that Alberta’s information technology (IT) infrastructure is vulnerable. It calls on the province to establish protocols and a digital security office to better protect its computer systems from cyberattacks.
Nixon wants an investigation
Dang held a press conference Tuesday about his hack. Government House Leader Jason Nixon came forward and told reporters he wanted an investigation into Dang’s actions and those of the NDP.
Nixon said he plans to introduce a motion in the Legislative Assembly calling for an internal investigation that will likely be conducted by the Select Standing Committee on Members’ Services.
“I am frankly shocked today by some of Congressman Dang’s comments,” Nixon said.
“Yes, someone from NDP staff contacted the government at some point stating that they had heard from an anonymous person that there may have been a problem with a website,” he said. -he declares.
“But at no time did the official opposition or Mr. Dang indicate that he was the one hacking websites.”
At the press conference, Dang defended his actions. He said he did not have permission to conduct a security assessment, but decided to go it alone because he did not believe the province would have accepted his assistance unless he can first prove that there was a problem.
‘Scandalous Breach of Privacy’: Kenney
Dang resigned from the NDP caucus in December after the RCMP executed a search warrant at his home. An investigation – led by the Alberta RCMP’s Cybercrime Investigative Team – is underway but no charges have been laid, RCMP spokesman Fraser Logan said on Tuesday.
Later, during a heated question period, Premier Jason Kenney called on NDP Leader Rachel Notley to take full responsibility for the offence.
“Who else’s private information did the NDP seek to hack?” said Kenny. “And what did the leader of the NDP know about this outrageous violation of privacy?”
Notley said Dang was asked to leave the NDP caucus as soon as he was investigated by the RCMP.
“It’s a clear indication of how we see this behavior,” Notley said. “That’s why we asked him to leave and under no circumstances will he return as long as it is an active case.”
When Dang raised possible issues with the website, the health minister was immediately notified, but she and other caucus members were unaware of the details, Notley said. She said the NDP caucus was not informed that personal files had been accessed.
“[Dang] did not alert us that he had hacked into the website,” Notley said. “There had been a conversation online about the website vulnerability and he said, ‘I’ve confirmed this to be true’…I was told after the fact and I thought it was done.”
In his report on his actions, Dang, who has a background in cybersecurity and computer science, said he orchestrated the breach shortly after the Alberta vaccine registries website launched last September.
The site allowed Albertans to download their immunization records as unlocked PDF files, raising concerns that the documents could be easily tampered with.
The problem with PDF files has been fixed, but Dang said he received a complaint from a member of the public who was concerned about another weakness in the system.
“The website appeared to lack security features that would prevent a malicious attacker from scraping the website for Albertans’ personal health information,” Dang wrote.
Dang said he first tried to hack into the system by entering random dates and health numbers.
After five attempts, its Internet Protocol (IP) address was shut down. Dang said he bypassed the block using a widely available program – or script – that scrambled his IP address.
He then began using his own information to test the site, but later decided to use Kenney’s birth and vaccination dates instead, as Kenney’s information was public and could be verified by government officials if an infringement was discovered.
He said he wrote an automated program to test the system. Using it, he found the file of someone who shared Kenney’s birthday and had been vaccinated in the same month as the prime minister.
“As soon as I knew a record had been found, I immediately stopped the script. I then verified that the record was valid by requesting it from the website,” Dang wrote.
“When I saw that the file belonged to someone who was not the prime minister and who was also unknown to me, I immediately left the website and did not register any information.”
Dang said after alerting NDP caucus staff and the information being passed on to Alberta Health, the province released a new version of the website within a week. The new version fixed the flaw he had identified, he said.
Dang said he plans to introduce a private member’s bill to establish a new office focused on the security and defense of Alberta’s digital infrastructure.
He said he is cooperating with the RCMP investigation and remains hopeful that charges will not be laid.