Edmonton MLA admits to using premier’s birth date to hack Alta. COVID-19 records system

Edmonton-South MLA Thomas Dang says he used Alberta’s premier’s birth date to access the province’s COVID-19 vaccination website in September to prove the government had “failed to implement the most basic security protocols.”

In a white paper published Tuesday and titled, “How I Did It: An Investigation into the Security of the Government of Alberta’s Vaccine Record Website,” Dang says he used Jason Kenney’s birth date because it, as well as the premier’s vaccination status, were already public and would be easily verifiable by the government. 

The website allowed Albertans to download their proof of vaccination, first provided in PDF form, then later as a QR code. 

“I can see why some people might think that wasn’t the best idea,” Dang said in a statement Tuesday morning. “But, since the Premier had already made his birthday and vaccination status public, it seemed like the best way to test the system without exposing anyone else’s information.”

However, through hiding his IP address and writing a program to search for a personal health number, he found the health record of a person who had the same birthday and had received a vaccine in the same month as Kenney – but who was not Kenney. 

Dang says he immediately left the website without saving any information and notified the health ministry and the Alberta NDP caucus, of which he was a member at the time. 

SECURITY FLAW PROVEN: DANG 

RCMP launched an investigation in November and, the following month, searched Dang’s home in relation to “suspicious activity related to unlawful access of private information related to the vaccination records portal.” Dang was neither arrested nor charged that day, but he did resign from the NDP. 

On Tuesday, he called himself successful in proving the province had failed to keep Albertans’ information safe. 

“At the end of the day, the Government of Alberta failed to implement even the most basic security measures before launching a website that exposed Albertans’ personal health information. That information was vulnerable to malicious actors for nearly two weeks. Every single Albertan should be extremely concerned about the Government of Alberta’s cybersecurity and their ability to protect Albertans’ information in the event of a cyber attack.”

According to Dang, the government updated the site a week later, fixing the flaw he had been able to exploit. The now-independent MLA called it a security measure “so common that even self-taught and relatively untrained programmers know to implement this basic protection mechanism.” 

Dang is currently pursuing a computer science degree at Athabasca University. 

Now an independent, he plans to introduce a bill in the fall that would create an cyber defence office and disclosure program to which vulnerabilities could be reported. 

He’s due to speak about the matter further Tuesday morning. Watch the news conference live at 11 a.m. on CTVNewsEdmonton.ca. 

More to come…

View original article here Source