Alberta MLA defends his decision to hack province's COVID-19 vaccine records system

Independent MLA Thomas Dang admits he used basic encryption tools — and the premier's birthdate  — to hack Alberta's COVID-19 vaccine records website last year.

On his website Tuesday, the MLA for Edmonton-South described the events that prompted his departure from the NDP caucus and made him the subject of an ongoing RCMP investigation.

"As an MLA, I believed I had an obligation to verify if such a negligent vulnerability could exist," Dang wrote in a report titled How I Did It.

"In conducting this test, I was acting in the public interest and within my role as an MLA."

Dang said he accessed a stranger's COVID-19 vaccination records but immediately informed a member of the NDP caucus staff that the site's security was compromised. The caucus staffer relayed the information to the government, Dang said.

RCMP executed a search warrant at Dang's home in December. An investigation — led by the Alberta RCMP Cybercrime Investigative Team — is ongoing, RCMP spokesperson Fraser Logan told CBC on Tuesday.

No charges have been laid, Logan said.

CBC News has requested comment from Alberta Health and the NDP. 

Dang, who resigned from the NDP caucus in December after the RCMP searched his home, said the breach shows that Alberta's information technology (IT) infrastructure is vulnerable.

He's calling on the province to establish new protocols — and a new digital security office — to better protect its IT systems from cyber attacks.

"It is a matter of fact that the government of Alberta released a website in 2021 that exposed the private health-care information of Albertans to an unnecessary risk of malicious use," Dang wrote in his report.

"Once I had proved it, I provided the government with the information required to fix it. Other actors with ill intent and with more time, expertise and resources had access to the vulnerability for nearly two weeks."

Dang, who has a background in cybersecurity and computer science, said he orchestrated the breach soon after Alberta's vaccine records website launched last September.

The site allowed Albertans to download their vaccine records as unlocked PDFs, leading to concerns the documents could be easily forged.