An Edmonton MP’s intentional breach of Alberta’s COVID-19 vaccination records website should motivate the province to better protect its computer systems from hackers, cybersecurity experts say.
Thomas Dang described his hack last September in a report he posted on his website on Tuesday.
He said he used Prime Minister Jason Kenney’s date of birth and a simple coding program to access a stranger’s vaccination record.
“The simplicity of this breach does not excuse the fact that perhaps [Dang] shouldn’t have done that,” said Toronto-based cybersecurity analyst Ritesh Kotak.
“But we wouldn’t be in this dilemma if simple cybersecurity protocols and procedures were followed in the first place.”
Dang, who has a computer background, said he felt compelled “as an MP” to test the system after a member of the public warned him about possible vulnerabilities in the website.
The province said it was already aware that someone was trying to hack into the website before Dang’s breach was reported.
Dang said his breach demonstrates that the Alberta government needs better computer security.
He resigned from the NDP caucus in December after the RCMP searched his home in connection with the offence. He remains under investigation by the RCMP’s cybercrimes unit and sits in the Legislative Assembly as an independent.
White hats and bug bounties
Kotak said the province should take advantage of the “good guys” in the IT industry, hiring ethical hackers – also known as hackers – to test its systems.
This is common practice in the private sector, he said. Companies hire IT professionals to probe websites for vulnerabilities by performing live attacks before and after launch.
Alberta should also use a “bug bounty” system, paying computer experts to find and report computer vulnerabilities, Kotak said.
The Immunization Records website, which launched in September, has allowed Albertans to download their immunization records as unlocked PDF files, raising concerns that the documents could be easily tampered with.
The problem with PDF files has been fixed, but Dang said he received a complaint from a member of the public who was concerned about another weakness in the system.
“A problem with the system”
Dang said he wrote an automated program to test the system. Using it, he found the file of someone who shared Kenney’s birthday and had been vaccinated in the same month as the prime minister.
Kotak said the breach was so simple that any hacker could do it, and the flaw suggests the site’s security was weak and untested.
“There was clearly something wrong with the system. And if he was able to do it, someone else would do it too. And he’s reviled,” he said.
“There was clearly a rush to implement this system without doing these cybersecurity and privacy audits. It would have been flagged and detected early on.”
Dang’s admission sparked calls for an internal investigation into how he and the NDP caucus communicated his actions to the government.
There are all very basic safeguards that need to be in place when dealing with the personal information of just one person, let alone hundreds of thousands.-Cladiu Popa
Claudiu Popa, a Toronto-based cybersecurity expert, said the province should instead investigate how the website failed to protect Albertans’ personal health information.
Popa said he wondered if a privacy impact assessment had been conducted on the vaccine registrations site before it went live in September.
“There are all very basic safeguards that need to be in place when you’re dealing with one person’s personal information, let alone hundreds of thousands,” he said.
“If this process was not followed, we can assume that there are other vulnerabilities.”
Dang said he immediately informed his NDP caucus team of the breach, so the information could be passed on to the government.
The province says the immunization records website is now secure and all of its systems are ready to fend off a cyberattack.
Government spokesperson Lindsay Milligan said that before Alberta Health was notified of Dang’s September 23 breach, it already knew about the cyberattack.
“The department has been notified by the developer of the technology that the portal is under cyberattack and is working to keep the portal secure,” Milligan, press secretary to the Minister of Service Alberta, said in a statement to CBC.
Dang’s breach report did not name the MLA and did not inform of any specific changes to the site, she said, but the website was upgraded with new security features.
Milligan said Albertans can be sure the government takes cyber threats seriously and is ready to counter them, but declined to provide further details, citing security concerns.
She has yet to respond to questions from CBC about how the site was tested before launch, who was responsible for its development, or how potential hacks were communicated to users.
Dang’s calls for better cybersecurity oversight must be heard, Popa said.
Albertans should have been notified immediately of any attacks on the system and the site should have been shut down until they were fixed, he said.
“I’m not saying we shouldn’t investigate hacking allegations,” he said. “But I think we need to investigate these vulnerabilities.
“We have to ask these questions, but that doesn’t mean we have to turn someone’s life upside down because they’ve decided to become a whistleblower.”