Alberta MLA claims he hacked Alberta vaccine passport system using Kenney’s birthday to highlight flaws
“I think that what I did was as an obligation under my role as an opposition MLA,” he said.
Edmonton-South MLA Thomas Dang has admitted to hacking the Alberta government’s COVID-19 vaccine record system last year using Premier Jason Kenney’s birthday.
In an exclusive interview with Postmedia, Dang, who resigned from the NDP caucus in December and now sits as an independent, said he did it to highlight security vulnerabilities and immediately passed what he uncovered on to the government so that the problem could be fixed.
He now wants Alberta to establish guidelines so developers and cyber security experts can alert the government if they find other online loopholes and create a new office focusing on digital security.
“I think that what I did was as an obligation under my role as an opposition MLA,” he said.
“I think that what I did was assist the government in closing a critical security vulnerability, and frankly, I believe that the government should have had measures in place and should have had a program in place … so this type of issue can be dealt with properly.”
Article content
A search warrant was executed last year at Dang’s home but he has not been charged with a crime.
‘Well within the skill set of an amateur’
In September 2021, the Alberta government released a website for residents to access their COVID-19 vaccination records using their health card number, birthday and month they were vaccinated.
There was criticism when it was revealed cards could be downloaded as editable PDFs making them easy to forge.
That problem was fixed, but around the same time Dang, who is certified in “offensive security,” which involves computer system testing, said he heard from someone with additional concerns.
“It’s very common in the industry that we have to prove there is a problem before we can make a report,” he said.
Article content
According to an explanation published on his website Tuesday morning, Dang first attempted to use random birthdays, hypothetical health-care numbers and vaccination dates to see if he could access the site.
After five attempts, his internet protocol (IP) address was shut out. But using a widely-available program he was able to bypass that block and now make multiple queries per second.
Dang said he tried using his own personal information but decided that trying to access a stranger’s information was a better test to prove the site could be hacked.
He said he chose Kenney because the premier’s birthday and vaccination date were already public.
The script was able to guess the health card number of an Albertan who wasn’t Kenney but who matched with the premier’s birthday and the month he was vaccinated. Dang was able to use that information to access the person’s vaccine passport PDF.
