A malware attack on one of Canada Post’s suppliers has caused a data breach affecting 44 of the company’s large business clients and their 950,000 receiving customers, the postal agency confirmed Wednesday.
It said the information affected is from July 2016 to March 2019, and 97 per cent of it comprised the names and addresses of receiving customers. The remaining three per cent contained email addresses and/or phone numbers, the company said.
“In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950,000 receiving customers,” Canada Post said in an email to Global News.
The Crown corporation said it has already “implemented proactive measures and will continue to take all necessary steps to mitigate the impacts.”
“Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cybersecurity approach which is becoming an increasingly sophisticated issue,” the statement said.
On May 19, Commport Communications — an electronic data interchange (EDI) solution supplier used by Canada Post to manage shipping data of business customers — informed the company that certain data associated with some of their customers had been compromised.
According to Canada Post, a detailed forensic investigation was carried but “there was no evidence” of any financial information being breached.
Though the breach occurred via a supplier, Canada Post said they “sincerely regret the inconvenience this will cause our valued customers,” in a statement Wednesday.
“Canada Post respects customer privacy and takes matters of cybersecurity very seriously,” it said.
“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” the company said.
Currently, the postal agency is “proactively informing” the impacted business customers, while providing the necessary support and information “to help them determine their next steps.”
“The Office of the Privacy Commissioner has been notified,” Canada Post said.
In November 2020, Commport Communications had notified Innovapost, the IT subsidiary of Canada Post, of a potential ransomware issue. The matter was investigated and Commport Communications had advised at the time that there was no evidence to suggest any customer data had been compromised.
© 2021 Global News, a division of Corus Entertainment Inc.