Canada Post's Data Breach Affected 950K Customers

 

The state-owned postal service, Canada Post has reported that a cyber-attack on a third-party provider resulted in a data breach affecting 950,000 parcel recipients. Canada Post Corporation, also known as Canada Post, is a Crown corporation that serves as the country's major postal operator. 

Canada Post claimed in a press release on May 26 that it had notified 44 "major business customers" that they may have been compromised by "a malware assault" targeting Commport Communications, a supplier of electronic data interchange (EDI) services. 

On May 19, the supplier informed Canada Post that “manifest data housed in their systems, which was related with some Canada Post customers, had been compromised.” 

It stated that the data was compromised between July 2016 and March 2019, with 97% of it containing the names and addresses of receiving consumers. According to the firm, the remaining 3% contained email addresses and/or phone numbers. The Crown corporation has already "taken preventive measures and will continue to take all required efforts to mitigate the repercussions," according to the statement. 

“Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cybersecurity approach which is becoming an increasingly sophisticated issue,” the statement further read.

According to Canada Post, a thorough forensic investigation was conducted, but “no evidence” of financial information being compromised was found. Despite the fact that the breach was caused by a supplier, Canada Post claimed in a statement on Wednesday that they “sincerely regret the difficulty this may cause our valued customers. Canada Post respects customer privacy and takes matters of cybersecurity very seriously.”

“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” the company said.
 
The postal service is currently "proactively alerting" impacted business clients, as well as providing the required support and information "to help them select their future steps." “The Office of the Privacy Commissioner has been notified,” Canada Post said.

In November 2020, Canada Post mentioned: "a potential ransomware issue" reported by Commport Communications to its IT division, Innovapost. However, “Commport Communications advised there was no evidence to imply any customer data had been hacked at that time,” according to the report.