Canada Post informs 44 large business customers of data breach affecting 950K customers
Mail boxes are seen at Canada Post's main plant in Calgary, Alta., Saturday, May 9, 2020, amid a worldwide COVID-19 pandemic. THE CANADIAN PRESS/Jeff McIntosh
TORONTO -- Canada Post has informed 44 of its large business customers that information relating to more than 950,000 customers was compromised after one of its suppliers fell victim to a malware attack late last week.
On Wednesday, the postal agency announced that Commport Communications, an electronic data interchange solution supplier, had notified them that manifest data held in their systems, which are associated with Canada Post customers, had been “compromised” in an attack on May 19.
Commport Communications is used by Canada Post to manage the shipping manifest data of large parcel business customers.
“Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it,” Canada Post said in a press release.
The postal service said that, after a “detailed forensic investigation,” there is no evidence that any financial information was breached.
The investigation into the impacted manifests also found:
- The information is from July 2016 to March 2019
- The vast majority (97 per cent) contained the name and address of the receiving customer
- The remainder (3 per cent) contained an email address and/or phone number
Canada Post said Commport Communications notified Innovapost, the postal agency’s IT subsidiary, of a potential ransomware issue in November 2020. However, an investigation at the time didn’t turn up any evidence to suggest customer data had been compromised.
“We are now working closely with Commport Communications and have engaged external cyber security experts to fully investigate and take action,” Canada Post said.
The postal service added they have proactively informed impacted business customers and have provided them with the information and support to help them “determine next steps.”
The Office of the Privacy Commissioner has also been notified, Canada Post added.
While the breach occurred at one of their suppliers, Canada Post said they “sincerely regret” the inconvenience to their customers and they take cyber security “very seriously.”
“Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cyber security approach which is becoming an increasingly sophisticated issue,” the agency said.