A successful cyberattack targeting Quebec’s digital vaccine certificates may portend to challenges ahead for the upcoming B.C. Vaccine Card, according to one expert.
“The B.C. government needs to be on standby to get hacked, it's probably going to happen,” David Masson, the director of enterprise security at cyber-defence firm Darktrace PLC, told BIV ahead of Quebec’s Sept. 1 vaccine passport rollout.
The Journal de Montreal reported Thursday hackers obtained some QR codes tied to Quebec's vaccine passport campaign, including those belonging to Premier François Legault and Health Minister Christian Dubé.
B.C. and Manitoba will be the next provinces to deploy vaccine certificates, which patrons will have to display at events and locations like concerts, sports games, pubs, restaurants and certain types of fitness activities. Grocery stores, retail outlets and health-care centres are exempt.
The B.C. Vaccine Card is set to roll out Sept. 13 and users will need at least one dose of a COVID-19 vaccine to be permitted entry into certain locations. By Oct. 24, users are expected to be fully vaccinated at least seven days after getting their second dose to access businesses and events.
“The B.C. government is in a difficult position because they're trying to second guess what the future holds. And nobody really knows what the future holds,” Masson said.
“[Quebec] figured they covered all the angles, but guess what? They hadn't. There's always clever people out there who will find a way to get around things. And the B.C. government should be considering that.”
A link will be provided to British Columbians with their proof of vaccination ahead of the Sept. 13 launch of the certificates that people can save onto their phones to show businesses. Those unable to show proof of vaccination online will be given “a secure alternative option,” according to a government release.
B.C. Premier John Horgan, meanwhile, said his government was working with the Privacy Commissioner, the Ministry of Health and the Office of the Public Health Officer to ensure the data was kept secure.
“We’re confident that every tool we can use to protect this information and to make sure it can’t be duplicated or forged will be put in place and we’ll see how we unroll it on the 13th [of September] and can be judged at that time,” he said.
Masson praised the province’s decision to roll out an alternative for those without access to a smartphone.
“We can't have a society where people are now being excluded from it because they can't afford technology,” he said.
“Can it be forged? Yeah. Or counterfeited? Yeah, of course it can. But everything can be. And don't forget, your smartphone can be forged.”
As B.C. prepares to roll out its own vaccine certificate, Masson said the province must prioritize where the data is being stored and what kind of data is being included on the app.
Ottawa revealed earlier this month it was partnering with the provinces on deploying a vaccine passport suitable for international travellers by the fall.
The federal government’s digital passport will include users’ COVID-19 vaccination record, the type of vaccine they received [such as Pfizer Inc. or Moderna Inc., and the dates and locations the vaccine shots were administered.
Masson said he’s unsure why the QR code for the Quebec passport will contain users’ birth dates, as it opens the path to potential identity theft.
“They could then use that [date of birth] with other bits of personal data that you can grab, scrape, steal from other people to build identities and therefore make it a far more monetized product,” he said. “But we haven't quite got there yet.”