Canada Post has confirmed that “limited delivery information” of about 4,500 Ontario Cannabis Store (OCS) customer orders was accessed by a third party.
The data breach occurred on Nov. 1, the postal service said.
According to Canada Post, an OCS customer accessed the information through the Canada Post website. The agency said they are confident the customer only shared the information with Canada Post and “deleted it without distributing further.”
“Both organizations have been working closely together since that time to investigate and take immediate action. As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information,” Canada Post said in a statement.
The OCS has notified customers of the issue, saying that the information accessed included postal codes, date of delivery, OCS reference numbers, Canada Post tracking numbers, the name or initials of the person who signed for the package upon delivery, as well as OCS corporate names and business addresses.
“No other order details were included, specifically: the name of the person who made the order (if not the same as the individual who signed for the delivery), the delivery address, payment information, and the contents of the order were not accessed,” the store said in a statement posted to their website addressing the data breach.
Customers impacted by the data breach will receive an email notification on Wednesday, the OCS said.
A cyber security expert from Symantec Canada said that there appears to be “a weakness in the Canada Post delivery tracking system that was exploited.”
According to Ajay Sood, everyone should be prepared for what he calls “the inevitability of a breach” when they make purchases online.
“I always ask people on a personal level or on a corporate level with our customers to think about what they are putting online and what they are doing online, and as and when they do it be prepared for the fact that that can be disclosed without their approval.”
The data breach impacted about two per cent of cannabis orders made since the site launched, the OCS said.
The Federal Privacy Commissioner and the Ontario Information and Privacy Commissioner have been notified about the breach.