Independent MLA Thomas Dang says he used basic encryption tools — and the premier’s birthdate — to hack Alberta’s COVID-19 vaccine records website last year, an admission that led to questions Tuesday about how the government was informed of the breach.
On his website Tuesday, the Edmonton-South MLA described actions that prompted his departure from the NDP caucus and made him the subject of an ongoing RCMP investigation.
“As an MLA, I believed I had an obligation to verify if such a negligent vulnerability could exist,” Dang wrote in a report titled How I Did It. “In conducting this test, I was acting in the public interest and within my role as an MLA.”
Dang said he accessed a stranger’s COVID-19 vaccination records but immediately informed a member of the NDP caucus staff that the site’s security was compromised.
A party spokesperson confirmed Tuesday that Dang informed a caucus staffer of potential problems with the records website on the morning of Sept. 23 and that the health minister’s office was informed later that morning by phone and by email.
Health Minister Jason Copping told reporters Tuesday that his department already knew about the vulnerability by the time the NDP told his office on Sept. 23.
Dang said the breach shows that Alberta’s information technology (IT) infrastructure is vulnerable. He’s calling on the province to establish protocols and a digital security office to better protect its IT systems from cyberattacks.
Nixon wants investigation
Dang held a news conference Tuesday about his hacking. Government House leader Jason Nixon showed up and told reporters he wants an investigation into Dang’s actions and those of the NDP.
Nixon said he plans to put forward a motion in the legislature calling for an internal investigation that would likely be led by the special standing committee on members’ services.
“I am quite shocked today, frankly, by some of MLA Dang’s comments,” Nixon said.
“Yes, somebody from the NDP staff did contact the government at some point, indicating that they had heard from an anonymous person that there may have been a situation with a website,” he said.
“But at no time did the Official Opposition or Mr. Dang indicate that it was him who was hacking websites.”
During the news conference, Dang defended his actions. He said he didn’t have permission to perform a security assessment but decided to act on his own because he didn’t believe the province would have accepted his help unless he was able to first prove there was a problem.
‘Outrageous violation of privacy’: Kenney
Dang resigned from the NDP caucus in December after RCMP executed a search warrant at his home. An investigation — led by the Alberta RCMP Cybercrime Investigative Team — is ongoing but no charges have been laid, RCMP spokesperson Fraser Logan said Tuesday.
Later, during a heated question period, Premier Jason Kenney called on NDP Leader Rachel Notley to take full responsibility for the breach.
“Who else’s private information did the NDP seek to hack into?” Kenney said. “And what did the leader of the NDP know about this outrageous violation of privacy?”
Notley said Dang was asked to leave the NDP caucus as soon as he fell under RCMP investigation.
“That’s a clear indication of how we see this behavior,” Notley said. “That is why we asked him to leave and under no circumstances will he be coming back while this is an active matter.”
When Dang raised possible problems with the website, the health minister was immediately informed but she and other caucus members were not aware of the details, Notley said. She said the NDP caucus wasn’t told that any personal files had been accessed.
“[Dang] didn’t alert us that he had hacked the website,” Notley said. “There had been an online conversation about the vulnerability of the website and he said, ‘I have confirmed this to be true’ … I was told after the fact and I thought it was done.”
In his report on his actions, Dang, who has a background in cybersecurity and computer science, said he orchestrated the breach soon after Alberta’s vaccine records website launched last September.
The site allowed Albertans to download their vaccine records as unlocked PDFs, leading to concerns the documents could be easily forged.
The problem with the PDFs got fixed but Dang said he received a complaint from a member of the public who was concerned about a different weakness in the system.
“The website appeared to lack security features that would prevent a malicious attacker from scraping the website for the personal health information of Albertans,” Dang wrote.
Dang said he first tried to hack the system by punching in random dates and health numbers.
After five attempts, his internet protocol (IP) address was shut down. Dang said he bypassed the block using a widely available program — or script — that scrambled his IP address.
He then began using his own information to test the site, but later decided to use Kenney’s birth and vaccination dates instead, as Kenney’s information was public and could be verified by government officials if a breach was found.
He said he wrote an automated program to test the system. Using it, he found the record of a person who shared Kenney’s birthday and had received a vaccine in the same month as the first.
“As soon as I was aware that a record had been found, I immediately stopped the script. I then verified that the record was valid by requesting the record from the website,” Dang wrote.
“When I saw that the record belonged to an individual that was not the premier and was also unknown to me, I immediately exited the website and did not save any information.”
Dang said that after he alerted NDP caucus staff and the information was relayed to Alberta Health, the province released a new version of the website within a week. The new version fixed the flaw he had identified, he said.
Dang said he plans to table a private member’s bill to establish a new office focusing on the security and defense of Alberta’s digital infrastructure.
He said he is co-operating with the RCMP investigation and remains hopeful that charges will not be ugly.