A hacker Those unidentified in the Hackfest community on Thursday illegally obtained QR codes containing vaccine information from several elected officials of the National Assembly, including Minister Eric Khair, who is responsible for protecting personal information.
According to a post posted on the Crypto.Cube Facebook page on Thursday, but it was deleted in the evening, the vaccination data of Prime Minister Franசois Legalt was also compromised. The Minister of Health and Social Services, Christian Dupe, the Mayor of Montreal, Valerie Blande, the co-spokesman for the Quebec Solitaire Gabriel Nauto-Dubois and the leader of the Liberal Party Dominic Anglet were also present.
Hackfest, a group of computer security experts, immediately notified the government of the problem, said its co-founder Patrick Mathews.
The security breach exploited by the hacker, who allowed the government’s self-service portal to be thwarted by gathering the most accessible information about his targets on social websites.
Asked by Press Regarding this shortcoming, Minister Eric Khair’s office said it was taking the matter very seriously and conducting an investigation. “Any misrepresentation or theft of a QR code is punishable, even punishable [un acte] Guilty, ”its spokeswoman Natalie Saint-Pierre recalled.
QR Codes 1 issued by the Ministry of Health and Social Services (MSSS) will act as the first vaccine passportThere is September. To receive them, vaccinated Cubs only need to enter their name, date of birth, date of first vaccination against Govt-19, brand of vaccine received and their social security number.
The hacker was able to easily confirm the date of their first vaccination because all of the selected victims of the hack advertised their vaccine by posting photos on social websites. Then all he has to do is find their date of birth on the internet and guess the last two digits of their health insurance number.
A “poorly designed” system
During a technical presentation earlier this week, the Deputy Minister of Information and Branch of the Government Information Technology Branch assured that personal information contained in the QR code was limited to “absolutely required”. Additional information that hackers can find, the vaccination date of the second vaccine, and only the batch numbers of sites and dosages for which these vaccines were given. In some cases, they can also find out if a hack victim has ever had a positive test for COVID-19 or if the vaccine has clinical contraindications.
There is no particularly important information such as the social insurance number, the home address of the vaccinated person or their phone number.
According to Patrick Mathieu, co-founder of Hackfest, the flaw shows that the system set up by the government is “poorly designed, from A to Z”.
The government relies on the security of the organization based on information that is easily accessible to anyone around them. Anyone can compromise.
Patrick Matthew, co-founder of Hackfest
According to him, the technology that allows the government to generate these QR codes is not designed to develop into a large-scale verification tool like the vaccine passport. “We have repeatedly told the government that this is a bad choice of technology,” he says.
Liberal MP Marwa Risky said the QR code also spread on the internet yesterday following the hack, leaving one wondering why the government did not put an additional firewall on its portal to prevent the hack. He also fears that traders who are called to verify QR codes, as provided in the protocol issued by Quebec, will rarely be asked to provide a driver’s license or health insurance card to verify the identity of their customers. “Fortunately, there is only one Marwa Risky in the country, and it would surprise me if someone tried to impersonate me. But if I had a generic name like Region Tremblay, it would be easier to use a fake QR code, which is worrying,” he believes.
The government has been talking to us about the vaccine passport since May. They had time to make sure security was in the right place, but they played down any issues raised by people who knew about security. This is sad, “said Tariq al-Hashimi, the party’s secretary general.
With Alice Girard-Boss, Press