Quebec’s government was forced to defend its COVID-19 vaccine passport system on Friday amid news that prominent politicians’ vaccination information had allegedly been hacked.
The Health Department said in a statement it was aware of reports that people had managed to steal the QR codes of members of the Quebec legislature and said police complaints had been filed. The department was responding to reports from Le Journal de Montreal and Radio-Canada about hackers who had been able to obtain the codes of prominent politicians — including Premier François Legault and Health Minister Christian Dubé.
The quick response codes are scannable codes containing a person’s name, date of birth and information about the vaccinations they have received. They are the central feature of the government’s vaccine passport system, which will be required as of Sept. 1 to visit businesses the provincial government deems non-essential, such as bars, clubs and restaurants.
In a statement, Legault’s office reiterated that the codes do not contain any sensitive personal information. “The QR code sent by the Health Department contains only the name of the person, their birthday and the list of vaccines received,” the statement read.
“In fact, there is less information in the QR code than on a driver’s licence or a medicare card.”
Legault’s press secretary did not confirm the premier was among those affected by the breach, but he noted the alleged hack concerned public figures whose basic information and vaccine status were already widely available on the internet.
Gabriel Nadeau-Dubois, the spokesperson for the Québec solidaire party, accused the government of failing to protect Quebecers’ medical information.
“The IT system that generates the proof of vaccination for Quebecers has clearly been compromised,” he wrote in a letter to Legault and Dubé that was published on Twitter. “Individuals are in a position to obtain the QR codes of other citizens without their consent.”
Nadeau-Dubois, who said his own QR code had been published on the internet, urged the government to address the “worrying security breach” or else suspend the application of the vaccine passport until the issues have been resolved.
Steven Lachance, a Montreal-based digital security analyst and entrepreneur, said the event showed there was a “pretty big flaw in the way the system was deployed,” but he didn’t think Quebecers need to worry about the security of their medical information.
He said the perpetrators were likely able to download the QR codes from the government website that records residents’ vaccine information, by using simple software or guessing the last digits of the politicians’ medicare numbers.
“It’s not like they hacked the system or there was a security breach in the actual technology or security of the QR code itself,” he said in an interview Friday.
Lachance said the situation could have been avoided had the government sent each Quebecer their codes by email or paper mail, rather than allowing them to be downloaded by inputting basic information.
He said he’s more worried by a Radio-Canada report about a hacker who was able to create a false QR code that was accepted by the smartphone application that businesses are required to download to verify clients’ proof of vaccination. Lachance, however, said he expected that flaw to be fixed quickly.
Lachance has defended the government’s vaccine passport system and said he remained impressed by the technology behind it. The flaws, he said, involved how it was implemented.
Quebecers shouldn’t worry much about their codes being stolen, he said, because the QR codes contain less personal data than the information needed to steal them.
The government says nobody is allowed to use another person’s QR code and anyone who breaks that rule could face serious penalties. Businesses that require the vaccine passport will also be asked to check their customers’ photo ID to ensure the names match, and they are expected to report to police anyone who tries to use someone else’s QR code.
The Health Department also noted that the vaccine passport was still being tested ahead of the wider launch next week. “It was precisely the objective of making the application available before the vaccine passport comes into effect Sept. 1 to make the necessary adjustments,” the statement read.
“If improvements need to be made, they will be made.”