Canada

Court documents allege MLA carried out ‘brute force attack’ on Alberta vaccine records site

Court documents obtained by CBC News show that until at least March 31, the RCMP was pursuing criminal charges against MLA Thomas Dang.

Dang was the subject of a months-long investigation by the RCMP’s Cyber ​​Crime Investigation Team after police were notified of an attempt in September 2021 to hack Alberta Health’s COVID-19 vaccine portal.

According to a receipt filed in provincial court and just unsealed Wednesday, Const. Christopher Augstman swore under oath: “I have reasonable grounds to believe that the following offenses have been committed, namely: unauthorized use of a computer.”

The Penal Code offense carries a maximum penalty of 10 years imprisonment on conviction.

Instead, the RCMP announced last month that, based on Crown recommendations, Dang was charged under the province’s Health Information Act with unlawfully attempting to access personal information, which could result in a fine of up to $200,000.

Dang will make his first court appearance on July 27.

A spokesperson for Alberta Justice did not explain why the Crown did not recommend criminal charges. The RCMP also declined to say whether they agreed with the Crown’s recommendation.

According to the Penal Code, unauthorized use of a computer is a crime only if the person has done it fraudulently and without justification.

Dang said that last September, a computer geek contacted him with concerns about potential vulnerabilities on the newly discovered Alberta Health vaccine portal.

According to a court document, Dang told the RCMP in a January interview that as an MLA with expertise in cybersecurity, it was his duty to ensure the system was secure. But an Edmonton cybersecurity expert disagrees.

“That’s not what ethical hackers do,” said NAIT cybersecurity chair John Zabiuk, who told the CBC he believes Dang should have been charged criminally.

“That’s like a man saying it’s my duty to rob a bank because the bank is there.”

1.78 million queries

According to court documents, Dang told RCMP he didn’t contact Alberta Health because he didn’t think he would be able to reach anyone at the department Friday afternoon.

But the vaccine portal was down until Sunday, September 19, the same day Dang began testing the site.

He admits he chose Prime Minister Jason Kenney’s date of birth to conduct his test.

Court documents describe Dang’s attempts as a “brute force assault.”

Between September 19 and 23, Dang’s computer program made 1.78 million queries using Kenny’s personal information. Dang admitted to the RCMP and later during a press conference that the inquiries were randomly generated guesses aimed at revealing the prime minister’s health number.

UCP MLA Brad Rutherford, the government’s chief whip, was overwhelmed by the volume of inquiries.

“It’s a dastardly act,” Rutherford said. “Especially over a period of four days.”

Court documents show that on Sept. 23, Dang successfully hit a health care number using Kenny’s date of birth.

The information he found belonged to an unnamed woman who shared the prime minister’s date of birth and the month of the vaccine.

Dang ran two back-to-back manual tests to check. At the time, according to court documents, he said he notified NDP chief of staff Jeremy Nolais and NDP communications director Benjamin Aldreth of his findings.

In a white paper he posted online March 22, Dang said an NDP staff member “expressed concern that I was able to verify a breach and that I attempted such a test.” The white paper was later deleted.

Dang said he told the official to disclose the information to the government as soon as possible.

Eight minutes after the third test, Alldritt emailed Alberta Health director of communications Steve Buick.

The email, reproduced in the Receipt Information, shows that Aldreth did not say that Dang was the one who alerted them.

He called the informant a ‘party’, then added: ‘It may be a joke, but their tone seems genuinely concerned. We hope the department can look into this as soon as possible.”

Rutherford thinks the NDP’s actions are suspicious.

“Apparently they saw in his actions that something wrong had happened. Their first instinct was to protect it instead of being upfront with Albertans,” Rutherford said.

A week later, additional security was added to the vaccine portal. At that time, Dang had no idea that he was the subject of a criminal investigation.

Dang’s future is uncertain

The RCMP asked a provincial court judge to issue a warrant to search Dang’s house on Dec. 20.

The Mounties also requested a sealing order, with the court document stating, “If the person responsible discovers that they are being investigated prior to the execution of this search warrant, they may destroy evidence on their computers.”

RCMP executed a search warrant on December 21, 2021 at the south Edmonton home of Thomas Dang. (Nathan Gross/CBC)

The search warrant was executed the next day, two months after Dang informed the NDP chief of staff and communications director of what he had done.

In a written statement to CBC News on Wednesday, Aldreth said he has cooperated fully with the RCMP and provided them with all the documents they requested.

Dang resigned from the NDP caucus pending the results of the investigation. He wants to return to the group, but is currently independent.

According to an NDP spokesperson, there is no timetable for a decision on Dang’s future, including whether he will be allowed to seek the nomination before the May 2023 election.

Dang declined to answer CBC questions about the court documents, but in previous interviews he has defended his actions.

He said at a news conference in March that he didn’t have permission to conduct a security assessment but decided to go it alone because he didn’t believe the province would accept his help unless he could first prove there was a problem.

NAIT’s cybersecurity chair isn’t buying it.

John Zabiuk is NAIT’s Chair of the Cybersecurity Program. (Google Meet)

“It really disappoints me. It gives the whole industry a bad name,” Zabiuk said.

He believes Dang should face serious consequences if the allegations are proven in court.

“There should be consequences for anyone who does something that is against the law,” Zabiuk said. “Whether it’s a fine, whether he’ll be suspended from the party or not be allowed to run again, that’s not up to me.”

“But there has to be some form of sanction against someone who breaks the law.