Canada Post admitted on November 7th that it suffered a breach of it’s delivery tracking system. It seems the customers affected were all customers of the Ontario Cannabis Store (OCS). The OCS said in a privacy updated on their website that the breach late on Nov. 1 affected about two per cent of its customer orders, and information was accessed by a person using a Canada Post delivery tracking tool. The OCS has informed the Ontario Privacy commissioner of the breach. Canada Post says it has also informed the Federal Privacy Commissioner.
Delivery information that was disclosed includes:
- Postal codes
- Names, or initials or people who signed upon delivery
- Date of delivery
- OCS reference numbers
- Canada Post tracking numbers
- OCS corporate names and business addresses
- Delivery addresses, payment information and the contents of orders were not released.
It remains to be seen if this breach has affected other Canada Post customers, but the OCS believes it is likely. A spokesman for Canada Post would not say when the individual let the postal service know he had accessed the information. In a statement, Canada Post said it had been working with the OCS since last Thursday and has now fixed the problem. “Both organizations have been working closely together since that time to investigate and take immediate action,” Canada Post said in a statement. “As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information.”
Global News spoke to a cybersecurity expert who explained, while the demand for cannabis could be a reason for hacks, this particular incident might be a design flaw or mistake in the delivery tracking system. “Normally, when systems like these are designed, in this case it seems to be a tracking system. They’re not designed with security in mind,” said David Masson, country manager for Darktrace, a cybersecurity company. “People come up with a process and at the very end, decide to put some security in. You need to be doing this right at the beginning of the process, not at the end, because inevitably mistakes will be made.”
To add to mix, updates to Canada’s PIPEDA law came into effect on November 1. It will be interesting to see what kind of fallout results from this. “With the new legislation that’s come out [on privacy data] companies like OCS and whoever will want to make sure third parties do understand that safeguards need to be in place to protect privacy information,” said Masson.
Could a breach put your business in the news? Could it cause you to be fines? Learn more about Uzado’s BRaaS and find out how you can protect yourself from a breach.