Unsealed court records reveal that Rachel Notley’s NDP knew one of its MLAs hacked Alberta’s vaccine portal causing the system to buckle — and then blamed the UCP government for the system’s failure.
In September 2021, MLA Thomas Dang allegedly hacked Alberta’s vaccine records system by sending 1.78 million queries to test for a security fault. Meanwhile, Albertans attempting to access their vaccine records through the portal were forced to wait for hours behind a queue of up to 50,o00 users.
Chief Government Whip Brad Rutherford said the NDP crashed Alberta’s vaccine system “yet they chose to play dumb and attack the government anyway.”
“This is probably the most shameless stunt we’ve seen from the Notley NDP so far,” Rutherford said in a statement to True North.
“But this is how the NDP operated throughout the entire pandemic. They only worked to sow chaos and confusion at a time when Opposition parties across Canada were working with government to make people’s lives better.”
In September, a constituent contacted Dang with concerns about potential vulnerabilities on the vaccine portal. Dang used Premier Jason Kenney’s birth date and vaccination dates, which are publicly available, to crack the site’s privacy safeguards.
Between Sept. 19 and 23, Dang’s computer program blasted the system with requests using Kenney’s personal information. Dang admitted to the RCMP that the queries were randomly generated guesses aimed at revealing the Premier’s health care number.
Court documents refer to Dang’s operation as a “brute force attack.”
Court records state: “During this time there were 3.5 million requests using the date of birth of Premier Jason Kenney and a further 1 million requests using the date of birth of Thomas Dang, an MLA from the NDP. This flood of traffic resulted in regular users being unable to access the site to download their own records.”
Records clarify that the 3.5 million figure is both requests to and responses from the website server, meaning Dang made approximately 1.78 million attempts to access the site himself.
Dang has claimed he accessed the site to test vulnerabilities on the newly launched Alberta Health vaccine portal, and upon finding one — and uncovering a woman’s healthcare number in the process — he informed NDP chief of staff Jeremy Nolais and NDP director of communications Benjamin Alldritt, court documents show.
As the portal froze from the weight of requests, NDP MLAs began attacking the UCP government on Twitter.
UCP MLA and Energy critic Kathleen Ganley wrote, “If only those who spent hours waiting in cues to get a my AB health account had been told not to bother, sigh.”
“Guess that would have required a government that cared.”
Alldritt retweeted a tweet saying the UCP cancelled dozens of IT contracts when it formed government and probably didn’t think about replacing them “or think about how a vaccine passport might be delivered in the past 18 months.”
Frustrations from regular Albertans also began to pile up as the wait time to enter the portal grew to 14 hours, with one user suggesting it’s time to “fire” the UCP.
Another user said he was lucky to get his records late the night before and said he “hoped the servers hold” for those still trying to access their records.
Some Albertans began posting screenshots of the number of users ahead of them in line, which showed a queue of 20,000 to 50,000.
In November, Notley said the UCP government is reporting a “possible privacy breach related to vaccine passports.”
“Sharing for awareness,” she wrote.
Notley refrained from attacking the government for the breach. At this time, staff in her personal circle knew Dang had breached the portal in September.
In response to past media inquiries, the Alberta NDP has said it doesn’t “have dealings” with True North. The party confirmed this is still its policy on Wednesday.
The RCMP was initially pursuing criminal charges against Dang. In June, he was charged under the province’s Health Information Act for illegally attempting to access private information contained in the Alberta Health vaccine portal in September 2021. He faces a fine of $200,000 if convicted.
Even while party officials were aware of his actions, Dang was promoted to the critic portfolio one month later, in October. He left the party to sit as an Independent MLA once the RCMP began investigating his actions in December.
Rutherford also said the “scandal” extends beyond Dang.
“But now that Dang has been charged and is facing the courts, we hope to learn more about the role Rachel Notley and her senior staff played in this hacking scandal.”