Court documents allege MLA conducted 'brute force attack' on Alberta vaccine records site

·5 min read
Independent MLA Thomas Dang will make his first court appearance on July 27 facing one count of  illegally attempting to access private information under Alberta's Health Information Act. (Travis McEwan/CBC - image credit)
Independent MLA Thomas Dang will make his first court appearance on July 27 facing one count of illegally attempting to access private information under Alberta's Health Information Act. (Travis McEwan/CBC - image credit)

Court documents obtained by CBC News show that at least until March 31, 2022, the RCMP were pursuing a criminal charge against MLA Thomas Dang.

Dang was the target of a months-long investigation conducted by the RCMP cybercrime investigation team after police were alerted to a September 2021 attempt to hack into the Alberta Health  COVID-19 vaccine portal.

According to an Information to Obtain filed with provincial court and just unsealed Wednesday, Const. Christopher Augstman swore under oath, "I have reasonable grounds to believe that the following offences have been committed, namely: unauthorized use of a computer."

The criminal code offence carries a maximum penalty of ten years in prison upon conviction.

Instead, RCMP announced last month that based on Crown recommendations, Dang was charged under the province's Health Information Act for illegally attempting to access private information, which could result in a fine of up to $200,000. Dang will make his first court appearance on July 27.

A spokesperson for Alberta Justice would not explain why the Crown did not recommend criminal charges. The RCMP also refused to say if they agreed with the Crown's recommendation.

According to the Criminal Code, unauthorized use of a computer is only a criminal offence if the person did so fraudulently and without justification.

Dang has said that in September 2021, a computer-savvy constituent contacted him with concerns about potential vulnerabilities on the newly launched Alberta Health vaccine portal.

According to a court document, Dang told RCMP in a January 2022 interview that as an MLA with experience in cybersecurity it was his duty to ensure the system was secure. But an Edmonton cybersecurity expert disagrees.

"That's not what ethical hackers do," said NAIT cybersecurity chair John Zabiuk,  who told CBC he believes Dang should have been charged criminally.

"That's like a person saying it's my duty to rob a bank because the bank is there."

'Brute force attack'

According to court documents, Dang told RCMP he didn't contact Alberta Health because he didn't think he would be able to reach anyone in the department on a Friday afternoon.

But the vaccine portal was not operational until Sunday, September 19, the same day Dang began testing the site.

He admits he chose Premier Jason Kenney's birthdate to run his test.

The court documents refer to Dang's attempts as a "brute force attack."

Between September 19 and 23, 2021, there were 1.78 million queries made by Dang's computer program using Kenney's personal information. He admitted to RCMP and later during a news conference that the queries were randomly generated guesses aimed at revealing the premier's health-care number.

UCP MLA Brad Rutherford was stunned by the sheer volume of queries.

"It's a nefarious action," Rutherford said. "Especially over a four-day period."

On September 23, 2021, court documents show Dang got a successful hit on a health-care number using Kenney's birthdate.

The information he unearthed belonged to an unnamed woman who shared the premier's date of birth and vaccine month.

Dang ran two subsequent manual tests to verify. By that time, according to court documents, he said he had notified the NDP chief of staff, Jeremy Nolais and NDP director of communications Benjamin Alldritt about his findings.

In a white paper published by Dang on March 22, 2022, that has since been deleted, Dang said an NDP staff member "expressed concern that I had managed to verify a breach and that I had attempted such a test."

Dang said he told the staff member to disclose the information to the government as soon as possible.

Eight minutes after the third test, Alldritt sent an email to Alberta Health communications director Steve Buick.

The email, reproduced in the Information to Obtain, shows Alldritt didn't say that it was Dang who tipped them off.

He referred to the informant as "a party", then went on to say, "It's possible that this is a prank, but their tone seems genuinely concerned. Hopefully the dept can look into this ASAP."

Rutherford thinks the NDP's actions were suspicious.

"Clearly they saw in his actions that something wrong had happened. Their first instinct was to protect him, instead of being forthright with Albertans," Rutherford said.

A week later, additional security was added to the vaccine portal. Dang had no idea at that point that he was under criminal investigation.

Dang's future uncertain 

RCMP asked a provincial court judge to issue a search warrant for Dang's house on December 20, 2021. Mounties also requested a sealing order, stating in the court document, "If the person responsible were to discover they are under investigation prior to the execution of this search warrant, they may destroy evidence on their computers."

Nathan Gross/CBC
Nathan Gross/CBC

The search warrant was executed the next day, two months after Dang informed the NDP chief of staff and communications director about what he'd done.

In a written statement to CBC News on Wednesday, Alldritt said he cooperated fully with the RCMP and provided them with all the documents they requested.

Dang resigned from the NDP caucus, pending the outcome of the investigation. He wants to return to caucus, but currently still sits as an independent.

According to an NDP spokesperson, there is no timeline for making a decision on Dang's future, including whether he'll be allowed to stand for nomination ahead of the May 2023 election.

Dang declined to answer questions from the CBC about the court documents, but in previous interviews, he has defended his actions.

He said at a news conference in March 2022 that he didn't have permission to perform a security assessment but decided to act on his own because he didn't believe the province would have accepted his help unless he was able to first prove there was a problem.

The NAIT cybersecurity chair doesn't buy it.

Google Meet
Google Meet

"It absolutely floored me. It gives the whole industry a bad name," Zabiuk said.

He believes Dang should face serious consequences if the allegations are proven in court.

"There should be fallout for anybody that does something that is against the law," Zabiuk said. "Whether that being a fine, whether he's removed from the party or not be permitted to run again, that's not up to me.

"But there should be some form of sanction against someone who breaks the law."

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting