Canada Post: Breach Affects 1 MillionRansomware Attack on Vendor Exposed Data
Canada Post, the nation's primary postal operator, reports that personal information on almost 1 million of its customers was compromised when one of its vendors suffered a ransomware attack last year.
Commport Communications, which manages shipping manifest data for Canada Post, on May 19 informed the postal service it had suffered a data loss from a ransomware attack last year. When it originally reported the attack in November 2020, Commport reported that no data had been compromised.
Aurora, Ontario-based Commport Communications is an electronic data interchange solutions provider that handles shipping manifests for 44 of Canada Post's postal service commercial customers. Its compromised system contained information on more than 950,000 individual postal customers.
"Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it," Canada Post says in a statement on the breach.
Information that was exposed was from the period of July 2016 to March 2019. About 97% of the exposed records contained the name and address of the receiving customer, with the remaining 3% adding an email address or telephone number, Canada Post says.
Commport Communications did not immediately respond to a request for additional information.
Canada Post says a detailed forensic investigation into the 2020 event did not find any evidence that any financial information had been breached. But it notes that the investigation is continuing.
"We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action," Canada Post says. "We are proactively informing the impacted business customers and providing the information and support necessary to help them determine their next steps. As well, the Office of the Privacy Commissioner has been notified."
Canada Post says it has implemented cybersecurity measures and will continue to take all necessary steps to mitigate the impact of the breach.