Ontario vaccine centre employee charged in COVID-19 vaccine booking portal data breach
Published Tuesday, November 23, 2021 12:30PM EST
Last Updated Tuesday, November 23, 2021 4:22PM EST
A government employee is among two people charged following an investigation into a security breach related to Ontario's COVID-19 immunization system.
Ontario Provincial Police (OPP) say they were first asked to investigate the breach on Nov. 17 after the government received reports of spam text messages received by individuals who scheduled appointments or accessed vaccine certificates through the COVID-19 immunization system.
The security breach was confirmed publicly on Monday, with the Solicitor General's office telling CTV News Toronto that the reported texts were "financial in nature."
CTV News Toronto spoke with two residents who received phishing text messages they believe could have been related to the breach. Both messages were addressed to their children using their full names.
"What really triggered it for me was the spelling of her name. It was her name, her full name with middle name, and her middle name was fully capitalized and the only time I've ever seen that was on her vaccine passport," Toronto resident Carla Embleton said.
Ottawa resident Mike Primeau said he received a similar text to his cell phone saying that his son had been sent "a reimbursement of $163.36" and was asked to reply to receive the payment.
Primeau was the one who registered his entire family—including his son—for the COVID-19 vaccine.
Multiple other people reported receiving text messages with either their full names or the full names of their children; however the requests differed slightly.
In a news release issued Tuesday, investigators said that two search warrants—one in Quebec and another in Ottawa—were executed on Nov. 22 in connection with the security breach. Several devices, computers and laptops were seized.
As a result of the investigation, 21-year-old Gloucester resident Ayoub Sayid and 22-year-old Rahim Abdu from Vaudreuil-Dorion were taken into custody.
They were both charged with Unauthorized Use of a Computer contrary to s. 342.1(1)(c) of the Criminal Code.
Police say that Sayid is an employee of the Ontario Ministry of Government and Consumer Services in the vaccine contact centre.
"Following a swift and thorough investigation, which included both internal and external experts, the OPP has charged an individual who worked through a third party vendor in the vaccine booking call centre, but is no longer employed by the government," a spokesperson for the Solicitor General said.
"This investigation confirmed that no personal health information was accessed, and that Ontario’s COVID-19 vaccine booking system remains secure and continues to be a safe tool for Ontarians to use."
In a statement released Tuesday afternoon, Ontario NDP critic for Technology Development and Innovation Chris Glover called the breach “incredibly troubling.”
“Premier Doug Ford must immediately tell people what actions he’s taking to determine how many people’s personal health and contact information has been compromised, what is now being done to inform and protect those people, and how the system is being changed to prevent further breaches,” the statement read.
The charges have not been proven in court.
The OPP warned that members of the public should always be suspicious of text messages asking for financial or private information. Anyone who suspects fraudulent activity should report it to the Canadian Anti-Fraud Centre online or by calling 1-888-495-8501.