Court documents allege MLA conducted ‘brute force attack’ on Alberta vaccine records site | #government | #hacking | #cyberattack

Court documents obtained by CBC News show that at least until March 31, the RCMP were pursuing a criminal charge against MLA Thomas Dang. 

Dang was the target of a months-long investigation conducted by the RCMP cybercrime investigation team after police were alerted to a September 2021 attempt to hack into the Alberta Health COVID-19 vaccine portal.

According to an Information to Obtain filed with provincial court and just unsealed Wednesday, Const. Christopher Augstman swore under oath, “I have reasonable grounds to believe that the following offences have been committed, namely: unauthorized use of a computer.”

The Criminal Code offence carries a maximum penalty of 10 years in prison upon conviction. 

Instead, RCMP announced last month that based on Crown recommendations, Dang was charged under the province’s Health Information Act for illegally attempting to access private information, which could result in a fine of up to $200,000.

Dang will make his first court appearance on July 27.

A spokesperson for Alberta Justice would not explain why the Crown did not recommend criminal charges. The RCMP also refused to say if they agreed with the Crown’s recommendation.

According to the Criminal Code, unauthorized use of a computer is only a criminal offence if the person did so fraudulently and without justification.

Dang has said that last September, a computer-savvy constituent contacted him with concerns about potential vulnerabilities on the newly launched Alberta Health vaccine portal.

According to a court document, Dang told RCMP in a January interview that as an MLA with experience in cybersecurity it was his duty to ensure the system was secure. But an Edmonton cybersecurity expert disagrees. 

“That’s not what ethical hackers do,” said NAIT cybersecurity chair John Zabiuk,  who told CBC he believes Dang should have been charged criminally. 

“That’s like a person saying it’s my duty to rob a bank because the bank is there.”

1.78 million queries

According to court documents, Dang told RCMP he didn’t contact Alberta Health because he didn’t think he would be able to reach anyone in the department on a Friday afternoon. 

But the vaccine portal was not operational until Sunday, Sept. 19, the same day Dang began testing the site. 

He admits he chose Premier Jason Kenney’s birthdate to run his test. 

The court documents refer to Dang’s attempts as a “brute force attack.”

Between Sept. 19 and 23, Dang’s computer program made 1.78 million queries using Kenney’s personal information. Dang admitted to RCMP and later during a news conference that the queries were randomly generated guesses aimed at revealing the premier’s health-care number. 

UCP MLA Brad Rutherford, the chief government whip, was stunned by the sheer volume of queries. 

“It’s a nefarious action,” Rutherford said. “Especially over a four-day period.”

Court documents show that on Sept. 23, Dang got a successful hit on a health-care number using Kenney’s birthdate. 

The information he unearthed belonged to an unnamed woman who shared the premier’s date of birth and vaccine month.

Dang ran two subsequent manual tests to verify. By that time, according to court documents, he said he had notified the NDP chief of staff, Jeremy Nolais, and NDP director of communications Benjamin Alldritt about his findings. 

In a white paper he published online on March 22, Dang said an NDP staff member “expressed concern that I had managed to verify a breach and that I had attempted such a test.” The white paper was later deleted.

Dang said he told the staff member to disclose the information to the government as soon as possible. 

Eight minutes after the third test, Alldritt sent an email to Alberta Health communications director Steve Buick. 

The email, reproduced in the Information to Obtain, shows Alldritt didn’t say that it was Dang who tipped them off.

He referred to the informant as “a party,” then added: “It’s possible that this is a prank, but their tone seems genuinely concerned. Hopefully the dept can look into this ASAP.”

Rutherford thinks the NDP’s actions were suspicious. 

“Clearly they saw in his actions that something wrong had happened. Their first instinct was to protect him, instead of being forthright with Albertans,” Rutherford said. 

A week later, additional security was added to the vaccine portal. Dang had no idea at that point that he was under criminal investigation.

Dang’s future uncertain 

RCMP asked a provincial court judge to issue a search warrant for Dang’s house on Dec. 20.

Mounties also requested a sealing order, stating in the court document, “If the person responsible were to discover they are under investigation prior to the execution of this search warrant, they may destroy evidence on their computers.”

RCMP executed a search warrant on Dec. 21, 2021 at Thomas Dang’s southside Edmonton home. (Nathan Gross/CBC)

The search warrant was executed the next day, two months after Dang informed the NDP chief of staff and communications director about what he’d done. 

In a written statement to CBC News on Wednesday, Alldritt said he co-operated fully with the RCMP and provided them with all the documents they requested.

Dang resigned from the NDP caucus, pending the outcome of the investigation. He wants to return to caucus, but currently sits as an independent.

According to an NDP spokesperson, there is no timeline for making a decision on Dang’s future, including whether he’ll be allowed to stand for nomination ahead of the May 2023 election. 

Dang declined to answer questions from the CBC about the court documents, but in previous interviews, he has defended his actions. 

He said at a news conference in March that he didn’t have permission to perform a security assessment but decided to act on his own because he didn’t believe the province would have accepted his help unless he was able to first prove there was a problem.

The NAIT cybersecurity chair doesn’t buy it. 

John Zabiuk is the NAIT chair of the cybersecurity program. (Google Meet)

“It absolutely floored me. It gives the whole industry a bad name,” Zabiuk said. 

He believes Dang should face serious consequences if the allegations are proven in court. 

“There should be fallout for anybody that does something that is against the law,” Zabiuk said. “Whether that being a fine, whether he’s removed from the party or not be permitted to run again, that’s not up to me. 

“But there should be some form of sanction against someone who breaks the law.”

Original Source link

Leave a Reply

Your email address will not be published.

3 + one =