Edmonton-South MLA Thomas Dang says he used Alberta’s prime minister’s date of birth in September to prove that the government had “failed to implement the most basic safety protocols” on their COVID-19 vaccination website and accessed a private citizen’s information in the process.
In a white paper released Tuesday, Dang says he used Jason Kenney’s date of birth because it, as well as the prime minister’s vaccination status, was already public and could easily be verified by the government.
At the time, the information was required by the government’s website to download a PDF version of an Albertan vaccination certificate.
Dang is currently pursuing a degree in computer science at Athabasca University.
By hiding his IP address and writing a program to search for a personal health number, Dang found the health record for a person who had the same birthday and had received a vaccine in the same month as Kenney – but who was not Kenney.
Dang had not previously revealed that he was given access to a citizen’s case.
At a news conference Tuesday, the now independent MLA defended its actions as due diligence after hearing from a concerned voter.
“I believe that as an MLA it was my duty, and in fact when it was reported to me by a member of the public that this vulnerability could exist, that I had to verify it before I was able to make that reporting to the government “he told reporters.
“The rationale for using the information of the premiere … includes the premiere is a high-profile person with publicly available information [who] would probably already be the target of this type of attack. I thought it would minimize the risk of further harm or any unnecessary information exposure. “
DANG STANDS GRUND, HOUSE MANAGER IS LOOKING FOR REVIEW
Dang says that when he gained access to a member of the public journal, he immediately left the site without storing any information and notified the Ministry of Health and offered what he saw as a solution.
The RCMP launched an investigation in November and the following month searched Dang’s home in connection with “suspicious activity related to illegal access to private information related to the vaccination journal portal.” Dang was neither arrested nor charged that day, but he withdrew from the Alberta NDP.
Asked if he had regretted his actions, Dang said on Tuesday: “What I have done is that I have given and was able to help Alberta Health and the Government of Alberta ensure that Albertan’s personal and private information is more secure than it was before I performed the test. “
He denied that his hacking was a form of vigilante justice. And he insisted that he follow the principles of responsible publication in computer security.
“I did not believe, and I still do not believe, honestly, that the government would have accepted my help if I had offered it without proof that there was a problem,” Dang said.
“It’s not even about a political process. It’s not a party political issue. This is unacceptable behavior from a member of the Legislative Assembly,” Prime Minister Jason Nixon shot back Tuesday.
He plans to set up a committee to investigate how the legislature’s staff and resources were used by Dang, including when and what the official opposition NDP knew about the breach.
“Rachel Notley in particular has to respond when she knew about this,” Nixon said, disputing Dang’s claim that he contacted Alberta Health directly. “At no point does the official opposition or Rachel Notely state that a member of her caucus has hacked government websites to try to obtain the prime minister’s vaccination information.”
Depending on what the committee found, he said Dang could be fined, barred from taking his legislative seat for a period of time or expelled from the chamber.
“Forget about the politicians involved. A private citizen in Alberta’s records was accessed by a member of the Legislative Assembly through inappropriate means,” Nixon said.
“It’s not sound in any way.”
GOVERNMENT DOESN’T TAKE ADVICE OF ‘ADMITTED HACKER’
Dang did not offer an apology to the person sharing the birthday with Kenney and received at least one COVID-19 vaccine shot in the same month as the premiere, whose record Dang gained access to in September.
“I do not know who this person is and I have not kept any of this information, so I have no opportunity to contact this person even if I wanted to,” the MLA told reporters.
He continued, “But what I want to say is that I think the system potentially revealed all of Alberta’s information, and I would say that Alberta’s government needed to do better,” launched a talk on Alberta’s need for more robust cybersecurity infrastructure.
According to Dang, the government corrected the site for vaccination records a week after he found the bug. He called it a security measure “so common that even self-taught and relatively untrained programmers by implementing this basic protection mechanism.”
He plans to put forward a bill this fall that will create a cyber defense office and detection program to which vulnerabilities can be reported.
Nixon could not say whether the government would take any action on cyber and information security in this legislative session, but commented: “What I can tell you that we will not do is get an inpatient hacker to tell us how we make cyber security of the government. “
CTV News Edmonton has contacted the Alberta NDP and RCMP for an updated comment.