Months after exposing a security vulnerability with the province’s vaccine passport website, and subsequently coming under investigation from the RCMP and being removed from the NDP caucus, Thomas Dang is giving more details about what he did.
The MLA for Edmonton-South has released a white paper on his website called “How I Did It” which goes in-depth into how he carried out the hack and the reasoning behind it.
Dang used his background in computer science to follow through on suggestions that the government’s first iteration of the website was vulnerable to security issues and the possibility that people could obtain the vaccine records of other Albertans.
He said after several unsuccessful attempts to breach through the system, Dang programmed some code over a couple of hours that would randomly generate health care card numbers while using a device to mask his IP address so he wouldn’t get kicked out of the website.
Then, as a basis for the search, he chose two pieces of public information to add to the website and narrow it down.
For this, Dang used Premier Jason Kenney’s birthday and date of first vaccination.
Dang wrote that this eventually turned out to be successful, but instead of finding Kenney’s vaccination record, he obtained the record of another Albertan whose data matched the same dates. He said he quickly exited out of the site and informed a staff member within the NDP caucus and urged them to inform the government about this.
He said the staffer expressed concern about what happened and the actions Dang took, and then informed the Ministry of Health.
After this all happened, an update on the vaccine passport site added additional security measures to eliminate the vulnerability a week later. Also, Dang became the subject of an RCMP investigation and he was removed from the NDP caucus.
Related article: Thomas Dang steps down amid RCMP investigation
On Tuesday, he released the paper and answered questions from reporters about why he did it.
“I believe that as an opposition MLA, as a private member of the assembly, I had an obligation to investigate and report concerns that are raised to me,” he said. “If this vulnerability did exist, I would have to be able to ensure that the government could fix it and that Albertans’ personal and private information would not be exposed and vulnerable to the public.”
Dang said this sort of method of exposing security flaws is “common” in the information security field, and he did not try to obtain any other records after the successful attempt.
He also pushed back on questions this amounted to identity theft.
“I didn’t use anybody else’s identity, I used their vaccination month and birth date,” he said. “I think that right now, it is clear that the Government of Alberta does not have the necessary information security infrastructure in place and they need to rectify that.
“I immediately reported this breach to Alberta Health, including the method they would need to implement to rectify and close this loophole.”
Dang said he continues to cooperate with the RCMP investigation, and there were some details he could not divulge further because of the case. No charges have been laid.
On the other side of the aisle, UCP MLA and Government House Leader Jason Nixon doesn’t buy Dang’s story, and said he wants to try and launch a committee investigation at the legislature.
“An everyday Albertan’s record was violated by the then-NDP Ethics Critic through hacking, which is unacceptable,” Nixon said. “I can’t trust anything that Thomas Dang is saying.”
Nixon said he has no record of Dang personally informing the government about the hack, and instead, it came through the NDP staffer who credited a confidential source.
He also said Dang had ample opportunities to bring it up in the legislature during Question Period but that did not happen.
“If this is so-called ‘ethical hacking’ – and I’ve never heard the term before – then why would you do it in the middle of the night in the dark?”
But despite saying he planned on introducing a motion to launch an internal investigation, Nixon did not present it on Tuesday afternoon.
Dang, for his part, said he would introduce a bill to try and bolster cybersecurity in government in response.
While Dang said he did nothing wrong and followed the protocols of an information security firm by taking this action, there is disagreement from an expert.
John Zabiuk, chair of Cyber Security at NAIT, said if, for example, someone from outside Microsoft started exploring the inner workings of its systems to find flaws, it would not be legal.
“It’s not ethical hacking anymore, it’s just straight-up unethical hacking,” he said.
Zabiuk said many organizations will usually hire people specifically for this type of work, and there is a cybersecurity department within the government that should be able to handle these sorts of problems, despite the point Dang made that there isn’t a proper way to report these types of flaws.
“Definitely they should have been looking at this, they should’ve probably hired somebody if they didn’t have the expertise to do this,” he said. “The government does have a cybersecurity area within their ministry and they are responsible for doing testing like this. But again, it has to be the individual organizations like Alberta Health to reach out to this department and they can coordinate that type of testing. ”
He added that while some companies will have so-called “bug bounty” programs – where individuals will get paid if they point out security flaws within an organization – there are questions about whether this would be appropriate for something like the government which handles very sensitive private information from people around the province.
“The problem with having a bug bounty with a system like the government or for instance health records, anything along those lines, is you’re opening the door and you’re making an invitation to everybody ‘Hey, come try to hack us, come see what you can find on our systems. ‘ You’re attracting the world to try and break into your system, ”he said. ”
Should they employ ethical hackers? Absolutely. Should they have done that in the system in question? Absolutely, they should have. But just because they didn’t give people the right to do it on their own. ”