Dang claims he hacked Alberta’s vaccine passport system to show loopholes

Content of the article

Edmonton South MPP Thomas Dang has admitted to hacking the Government of Alberta’s COVID-19 vaccine registration system last year using Premier Jason Kenney’s birthday.

Advertisement 2

Content of the article

In an exclusive interview with Postmedia, Dang, who resigned from the NDP caucus in December and now sits as an independent, said he did so to highlight security vulnerabilities and immediately forwarded what he had discovered in the government so that the problem could be solved.

He now wants Alberta to set guidelines so developers and cybersecurity experts can alert the government if they find any other flaws online and create a new office focused on digital security.

“I think what I did was an obligation in my role as an opposition MP,” he said.

“I think what I did was help the government close a critical security hole, and frankly I think the government should have put measures in place and had a program in place…so that this type of problem can be dealt with. correctly.”

Advertisement 3

Content of the article

A search warrant was executed last year at Dang’s home, but he has not been charged with a crime.

“Well within the skills of an amateur”

In September 2021, the Government of Alberta launched a website allowing residents to access their COVID-19 vaccination records using their health card number, date of birth and month they were vaccinated.

There was criticism when it was revealed that the maps could be downloaded as editable PDF files, making them easy to tamper with.

That issue was resolved, but around the same time, Dang, who is certified in “offensive security,” which involves testing computer systems, said he heard from someone with additional concerns.

“It’s very common in the industry that we have to prove there’s a problem before we can make a report,” he said.

Advertisement 4

Content of the article

According to an explanation posted on his website on Tuesday morning, Dang first tried to use random birthdays, hypothetical health care numbers and vaccination dates to see if he could access the site.

After five attempts, his Internet Protocol (IP) address was kicked out. But using a widely available program, he was able to bypass this block and now make multiple requests per second..

Dang said he tried using his own personal information, but decided that trying to access a stranger’s information was a better test to prove the site could be hacked.

He said he chose Kenney because the Prime Minister’s birthday and vaccination date were already public.

The script was able to guess the health card number of an Albertan who was not Kenney but corresponded to the prime minister’s birthday and the month he was vaccinated. Dang was able to use this information to access the PDF of the person’s vaccine passport.

Advertisement 5

Content of the article

“As soon as I knew a record had been found, I immediately stopped the script. I then verified that the record was valid by requesting the record from the website,” Dang wrote in his explanation in line.

“When I saw that the file belonged to someone who was not the Prime Minister and who was also unknown to me, I immediately left the website and did not register any information.”

Dang defended his decision to use the prime minister’s information, arguing that a public figure like Kenney is more likely to be targeted by hackers for this type of attempted breach.

“I can see why some people might think that (choosing Kenney) was a bad idea. But I would ask you to judge my actions more than anything else,” he said.

“Because if the purpose was to access the health information of other MPs or the UCP, I would have continued to run the script until I got that information.”

Advertising 6

Content of the article

He called his hack “something well suited to the skills of an amateur”.

Search warrant executed in December

Dang said the decision to hack into the system was his, but after he managed to access the information from overseas, he contacted NDP caucus staff and the information was passed on to Alberta Health.

Within weeks, the government had closed the loophole.

In December, the RCMP executed a search warrant for Dang’s home and he resigned from the NDP caucus to sit as an independent.

Dang told Postmedia he provided police with details of what he did.

When asked if he was prepared to face police consequences for his actions, Dang repeated that companies often hire security experts to test their systems.

Advertising 7

Content of the article

“I have not been charged or arrested with any offense and I look forward to seeing the outcome of their investigation and I am confident that they will deal with it appropriately,” he said.

Private member’s bill targets cybersecurity

Dang plans to introduce a private member’s bill in September that would create an office of information security and defense to deal with cybersecurity issues, a vulnerability disclosure program for people to report concerns, and make mandatory an annual report on the state of Alberta’s information infrastructure.

“Basically every major organization, or at least the technology organizations in the world, have a public vulnerability disclosure program. …These programs are designed to ensure that people who discover vulnerabilities are able to properly report technical details so they can be fixed without potentially exposing additional information,” he said.

Dang said he proved Alberta was unprepared for the kind of violation he was able to orchestrate.

“This is a pressing concern for Albertans right now,” he said.

[email protected]


Advertisement 1


Postmedia is committed to maintaining a lively yet civil discussion forum and encourages all readers to share their views on our articles. Comments can take up to an hour to be moderated before appearing on the site. We ask that you keep your comments relevant and respectful. We have enabled email notifications. You will now receive an email if you receive a reply to your comment, if there is an update to a comment thread you follow, or if a user follows you comments. See our Community Guidelines for more information and details on how to adjust your email settings.

Comments are closed.