According to Canada Post, sensitive information of over 950,000 customers and 44 of its large business clients has been exposed in the malware attack.
Another day, another data breach. This time, the victim is the Canadian postal agency Canada Post who on Wednesday confirmed in a press release that data of over 950,000 of its customers could be compromised after one of its suppliers became a victim of a malware attack last week.
In the attack, data of at least 44 of its large business clients could have been exposed.
“In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950,000 receiving customers,” Canada Post said.
The supplier, Commport Communications, is an electronic data interchange solutions provider. The company informed Canada Post that the data breach occurred on May 19, and attackers targeted data held in their systems.
What are Shipping Manifests?
Canada Post claims that it uses Commport Communications services to manage the manifest shipping data of large parcel customers. Shipping Manifests are used to fulfill client orders and generally include sender/receiver contact information, usually found on shipping labels. This may include the name and address of the business customer and the item that is being shipped.
Details of the Attack
According to Canada Post, a detailed forensic analysis was carried out, and they found no evidence that financial information was exposed in the attack. When the impact of manifests was analyzed, investigators identified that the exposed data dated back to July 2016 until March 2019. Around 97% of the exposed data contained the receiver’s name and address, and the remaining 3% contained email addresses or contact information.
Canada Post’s Statement
Canada Post states that it is working closely with its subsidiary and engaged cybersecurity experts to take necessary action and sincerely regrets the inconvenience caused to its clients.
“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” the postal agency stated.
Moreover, the company proactively informed all impacted business clients and provided them the information and support they needed to identify the next steps. Canada Post has also notified the office of the Privacy Commissioner.
“Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cybersecurity approach which is becoming an increasingly sophisticated issue,” the agency explained.