Canada Post suffered a data breach that may have resulted in the compromise of order records of 4500 customers. The information stolen includes customers’ names, initial of nominated signatories, postcodes, dates of delivery, OCS reference numbers, Canada Post tracking numbers and OCS corporate names and business addresses. The breach has also potentially affected customers of other Canada Post clients.
However, the organization said that the name of buyers, the delivery address, payment information and the content of the order were not compromised by the hacker.
Explaining the incident on its Twitter page, the organization said that the breach occurred on November 1 after a hacker gained access to the information using the Canada Post delivery tracking tool.
The firm has notified the Ontario Cannabis Store (OCS) about the breach. The OCS said that it is working closely with the Office of the Information and Privacy Commissioner (IPC) of Ontario to resolve the matter. In addition, it has asked the Canada Post to notify all the affected customers.
"Since Nov. 1, the OCS has worked closely with Canada Post to identify the cause of this issue and to prevent any further unauthorized access to customer delivery information," the OCS said. "The OCS has encouraged Canada Post to take immediate action to notify their customers. To date, Canada Post has not taken action in this regard. Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers,” the Cannabis supplier said.
A spokesperson at Canada Post told ZDNet that the firm has fixed major loopholes to prevent any further unauthorized access.
"Important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information. We are pleased that OCS has notified their customers of the issue and will continue to work together to provide customers with the assurance that this is being fully addressed." the spokesperson told ZDNet.