Experts call for better IT security after MLA admits he hacked Alberta vaccine records website

An Edmonton MLA's intentional breach of Alberta's COVID-19 vaccine records website should motivate the province to better safeguard its IT systems against hackers, cybersecurity experts say.

Thomas Dang described his hack last Septemberin a report he posted to his website Tuesday.

He said he used Premier Jason Kenney's birthdate and a simple coding program to access a stranger's vaccine record.

"The simplicity of this breach, that doesn't excuse the fact that maybe [Dang] shouldn't have done this," said Toronto-based cybersecurity analyst Ritesh Kotak.

"But we wouldn't be in this dilemma if simple cybersecurity protocols and procedures were followed in the first place."

Dang, who has a background in computer science, said he felt an obligation "as an MLA" to test the system after a member of the public warned him of possible vulnerabilities in the website.

The province said it was already aware that someone was trying to hack the website before Dang's breach was reported.

Dang said his breach demonstrates that the Alberta government needs better IT security.

He resigned from the NDP caucus in December after RCMP searched his home in relation to the breach. He remains under investigation by the RCMP cybercrimes unitand is sitting in the legislature as an independent.

White hats and bug bounties

Kotak said the province should be taking advantage of "good guys" in the IT industry, hiring ethical hackers also known as white-hat hackers to test its systems.

That's common practice in the private sector, he said. Companies contract IT professionals to probe websites for vulnerabilities by performing live attacks before and after they launch.

Alberta should also use a "bug bounty" system, paying IT experts for finding and reporting IT vulnerabilities, Kotak said.

The vaccine recordswebsite, which launched in September,allowed Albertans to download their vaccine records as unlocked PDFs, leading to concerns the documents could be easily forged.

The problem with the PDFs got fixed but Dang said he received a complaint from a member of the public who wasconcerned about a different weakness in the system.

'A problem with the system'

Dang said he wrote an automated program to test the system. Using it, he found the record of a person who shared Kenney's birthday and had received a vaccine in the same month as the premier.

Kotak said the breach was so simple any hacker could do it, and that the loophole suggests the site's security was weak and untested.

"Clearly there was a problem with the system. And if he was able to do it, so would somebody else. And he's being vilified," he said.

"There clearly was a rush to implement this system without doing these cybersecurity and privacy audits. This would have been flagged and caught right from the beginning."

Dang's admission triggered calls for an internal investigation into how he and the NDP caucus communicated his actions to government.

There are all very basic safeguards that need to be put in place when you deal with the personal information of any one person, let alone hundreds of thousands.-Cladiu Popa

Toronto-based cybersecurity expert Claudiu Popa said the province should instead investigate how the website failed to protect the personal medical information of Albertans.

Popa said he questions whether a privacy impact assessment was conducted on the vaccine records site before it went live in September.

"There are all very basic safeguards that need to be put in place when you deal with the personal information of any one person, let alone hundreds of thousands," he said.

"If that process was not followed, we can assume that there are other vulnerabilities."

Dang said he immediately advised his NDP caucus team of the breach, so that information could be relayed to the government.

The province says the vaccine records website is now safe and that all its systems are ready to repel a cyber attack.

Government spokesperson Lindsay Milligan said that before Alberta Health was informedabout Dang's breach on Sept. 23,it was already aware of the cyberattack.

"The department was informed by the technology developer that the portal was coming under cyberattack and was working to address the security of the portal," Milligan, press secretary to the minister of Service Alberta, said in a statement to CBC.

The report on Dang's breach did not name the MLA and did not inform any specific changes to the site, she said, but the website was upgraded with new security features.

Milligan said Albertans can be confident that the government takes cyberthreats seriously and is prepared to counteract them but declined to provide further details, citing security reasons.

She has yetto respond to questions from CBC about how the site was tested before it launched, who was responsible for developing it, or how potential hacks were communicated to users.

Dang's calls for improved cybersecurity oversight should be heard, Popa said.

Albertans should have been informed immediately about any attacks on the system and the site should have been taken down until they were fixed, he said.

"I'm not saying we should not investigate the allegations of hacking," he said. "But I think we need to investigate those vulnerabilities.

"We need to ask those questions but it does not mean we need to turn a person's life upside down because he decided to become a whistleblower."