Names and postal addresses leak blamed on malware attack

Canada Post reveals supplier data breach involving shipping and delivery information of 950,000 parcel recipients

A cyber-attack on a third-party supplier of Canada Post has resulted in a data breach impacting 950,000 parcel recipients, the state-owned postal service has announced.

In a press release published yesterday (May 26), Canada Post said it had informed 44 “large business customers” that they had potentially been affected by “a malware attack” against Commport Communications, a provider of electronic data interchange (EDI) services.

The supplier notified Canada Post a week earlier, on May 19, “that manifest data held in their systems, which was associated with some Canada Post customers, had been compromised”.

Catch up on the latest cybersecurity news from Canada

The exposed data, said Canada Post, involves the names and postal addresses of parcel recipients in 97% of cases, with the other 3% comprising an email address and/or phone number.

The shipping information for “just over” 950,000 parcel recipients relates to a nearly three-year period between July 2016 and March 2019.

The ongoing investigation has found “no evidence that any financial information was breached”, added Canada Post.

Canada Post, the country’s largest postal operator, uses Commport Communications’ EDI services to manage shipping manifest data, which includes sender and receiver contact information required for shipping labels, in order to fulfil parcel orders for its business customers.

‘Potential ransomware issue’

Canada Post also referenced “a potential ransomware issue” flagged by Commport Communications to its IT subsidiary, Innovapost, in November 2020. However, this “was investigated with Commport Communications advising there was no evidence to suggest any customer data had been compromised at that time”.

Canada Post said it had notified the Office of the Privacy Commissioner and is “proactively informing the impacted business customers and providing the information and support necessary to help them determine their next steps”.

The postal operator added that it had “already implemented proactive measures and will continue to take all necessary steps to mitigate the impacts.

“Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cyber security approach.”

The Daily Swig has contacted Canada Post and Commport Communications with some additional queries. We will update the article should we receive responses.

RELATED US healthcare non-profit reports data breach impacting 200,000 patients, employees