Doug Ford government says vaccine booking portal 'remains secure' despite data breach
TORONTO -- Ontario's Progressive Conservative government says residents should still have confidence in the province's vaccine booking portal, despite a suspected data breach that triggered a police investigation and led to charges against a government employee.
Government House Leader Paul Calandra says the Ontario Provincial Police (OPP) cyber crimes unt was "immediately engaged" after learning of the breach leading to a "swift investigation."
"The OPP charged an individual who is no longer working with the Government of Ontario," Calandra said during Question Period at Queen's Park. "The system remains secure for the people of the province of Ontario."
The OPP say they were first asked to investigate the breach on Nov. 17 after the government received reports of individuals receiving spam text messages from people who scheduled appointments or accessed their vaccine certificates through the province vaccine portal.
Ontario's Solicitor General confirmed the text messages were "financial in nature" but said no one had been defrauded of any money.
"This investigation confirmed that no personal health information was accessed, and that Ontario’s COVID-19 vaccine booking system remains secure and continues to be a safe tool for Ontarians to use," a spokesperson for the Solicitor General's said in a statement.
In a news release issued Tuesday, investigators said that two search warrants—one in Quebec and another in Ottawa—were executed on Nov. 22 in connection with the security breach. Several devices, computers and laptops were seized.
As a result of the investigation, 21-year-old Gloucester resident Ayoub Sayid and 22-year-old Rahim Abdu from Vaudreuil-Dorio were taken into custody.
They were both charged with Unauthorized Use of a Computer contrary to s. 342.1(1)(c) of the Criminal Code.
Police say that Sayid was an employee of the Ontario Ministry of Government and Consumer Services in the vaccine contact centre.
The arrests, however, haven't quelled the criticism from the Official Opposition over why Premier Doug Ford didn't inform the public about the breach. Multiple reports of the data breach were shared on social media by concerned residents and only confirmed by the government after inquiries from the media.
"The government knew this was happening and they chose to keep it under wraps," charged NDP Leader Andrea Horwath. "Why didn't the premier come clean with parents the moment they found out that there was a breach to the system?"
Calandra didn't provide a response for why the information wasn't publicized by the government.
CTV News Toronto spoke with two residents who received phishing text messages they believe could have been related to the breach. Both messages were addressed to their children using their full names.
"What really triggered it for me was the spelling of her name. It was her name, her full name with middle name, and her middle name was fully capitalized and the only time I've ever seen that was on her vaccine passport," Toronto resident Carla Embleton said.
Ottawa resident Mike Primeau said he received a similar text to his cell phone saying that his son had been sent "a reimbursement of $163.36" and was asked to reply to receive the payment.
Primeau was the one who registered his entire family—including his son—for the COVID-19 vaccine.
Multiple other people reported receiving text messages with either their full names or the full names of their children; however the requests differed slightly.
The charges have not been proven in court.
The OPP warned that members of the public should always be suspicious of text messages asking for financial or private information. Anyone who suspects fraudulent activity should report it to the Canadian Anti-Fraud Centre online or by calling 1-888-495-8501.