Canada Post ad­mits pri­vacy breach

4,500 On­tario Cannabis Store customers may have had data ex­posed

Standard-Freeholder (Cornwall) - - BUSINESS -

TORONTO — Canada Post pub­licly ad­mit­ted to a pri­vacy breach in­volv­ing thou­sands of On­tario’s on­line cannabis customers on Wed­nes­day after the prov­ince’s only out­let for le­gal recre­ational mar­i­juana no­ti­fied clients of the prob­lem.

The postal ser­vice said in a state­ment that some­one had used its de­liv­ery track­ing tool to gain ac­cess to per­sonal in­for­ma­tion of 4,500 customers of the On­tario Cannabis Store but de­clined to iden­tify the in­for­ma­tion.

“Both or­ga­ni­za­tions have been work­ing closely to­gether since that time to in­ves­ti­gate and take im­me­di­ate ac­tion,” Canada Post said in a state­ment. “As a re­sult, im­por­tant fixes have been put in place by both or­ga­ni­za­tions to pre­vent any fur­ther unau­tho­rized ac­cess to cus­tomer in­for­ma­tion.”

Canada Post no­ti­fied the on­line cannabis store on Nov. 1 about the breach, both or­ga­ni­za­tions said.

In a state­ment on Wed­nes­day, the On­tario Cannabis Store said it re­ferred the mat­ter to the prov­ince’s pri­vacy com­mis­sioner. The state­ment also said the store had “en­cour­aged” Canada Post to take im­me­di­ate ac­tion to no­tify its customers.

“To date, Canada Post has not taken ac­tion in this re­gard,” the store said in its state­ment. “Al­though Canada Post is mak­ing its own de­ter­mi­na­tion as to whether no­ti­fi­ca­tion of customers is re­quired in this in­stance, the OCS has no­ti­fied all rel­e­vant customers.”

In re­sponse, a spokesman for Canada Post said it had ex­plained to the cannabis store that it did not have con­tact in­for­ma­tion for the pot buy­ers.

Ac­cord­ing to the on­line store, the com­pro­mised in­for­ma­tion in­cluded postal codes and the names or ini­tials of the per­son who ac­cepted de­liv­ery of the mar­i­juana.

No other or­der de­tails were in­cluded, such as the name of the per­son who made the or­der — un­less it was the same as the in­di­vid­ual who signed for de­liv­ery — or the ac­tual de­liv­ery ad­dress or pay­ment in­for­ma­tion, the state­ment said.

OCS said customers who did not re­ceive an email no­ti­fi­ca­tion were not part of the breach.

On­tario’s pri­vacy com­mis­sioner, Brian Beamish, called the breach “un­for­tu­nate” but said it ap­peared the risk to cus­tomer data was lim­ited.

“I’m cer­tainly pleased that OCS took the step of no­ti­fy­ing peo­ple of the breach and mak­ing it pub­lic,” Beamish said in an in­ter­view. “That level of trans­parency is good.”

Given that the vul­ner­a­bil­ity oc­curred through Canada Post, Beamish said any fur­ther pri­vacy ac­tion rested with the fed­eral com­mis­sioner, who did not im­me­di­ately com­ment.

While mar­i­juana or­dered through the On­tario Cannabis Store is le­gal, pri­vacy con­cerns are es­pe­cially acute given the hard line taken by Amer­i­can au­thor­i­ties, who have made it clear that Cana­di­ans who ad­mit to us­ing pot could be re­fused en­try to the U.S. or deemed in­ad­mis­si­ble for life.

“I wouldn’t say I am wor­ried (about this breach) but I am con­cerned any time my per­sonal in­for­ma­tion is hacked,” said one cus­tomer, who re­ceived the email from the cannabis store. “I would pre­fer you not use my name only be­cause I might like to con­tinue to be ad­mis­si­ble to U.S.A.”

Ac­cord­ing to the store, the breach oc­curred when an in­di­vid­ual used the Canada Post track­ing tool to ac­cess de­liv­ery data, and also po­ten­tially af­fected customers of other Canada Post clients.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.