Canada Post leaked personal data, orders of thousands of cannabis smokers

The rollout of legal weed in Ontario is now beset by potential privacy issues.
Written by Charlie Osborne, Contributing Writer

The decision to make recreational cannabis legal in Ontario, Canada, has been fraught with problems and now has been tarnished by a data breach at Canada Post.

On Wednesday, the Ontario Cannabis Store (OCS) revealed the security incident on Twitter, saying that an unnamed individual was able to access the order records of 4,500 customers, or roughly two percent of the firm's customer base.

The compromised information included names or the initials of nominated signatories, postcodes, dates of delivery, OCS reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses.

However, OCS insists that the name of buyers -- unless they were accepting delivery -- the full delivery address, contents of the order, and payment information were not compromised.

Smoking weed might now be legal in the area but this does not mean individuals taking advantage of the change in legislation would necessarily want their usage known -- and no-one wants their personal data stolen and potentially leaked on the web, no matter the circumstances.

The breach was uncovered on November 1. Canada Post and OCS have been working together since this date to investigate how the data breach was allowed to take place, and OCS said a failure by Canada Post to inform customers led to the company taking action.

See also: This is how artificial intelligence will become weaponized in future cyberattacks

"The OCS has encouraged Canada Post to take immediate action to notify their customers," the cannabis supplier said. "To date, Canada Post has not taken action in this regard. Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers."

Canada Post may be in hot water, but over 1,000 complaints have been received by the Ontario Ombudsman relating to OCS, including those describing billing issues, late deliveries, and poor customer service.

A data breach is likely the last thing OCS would want to face when already facing censure over sales -- especially when the Ombudsman considered the problem severe enough to issue a press release -- and while the regulatory body was only at the stage of monitoring the complaints, the security incident might escalate the situation, whether or not OCS was at fault in this instance.

The OCS is the only legal supplier in the region until April when private retailers are permitted to launch.

TechRepublic: How to make good business decisions about the spectrum of cyberthreats

A Canada Post spokesperson told ZDNet that the individual behind the leak "only shared it with Canada Post and deleted it without distributing further."

"Important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information," the spokesperson added. "We are pleased that OCS has notified their customers of the issue and will continue to work together to provide customers with assurance that this is being fully addressed."

The Federal Privacy Commissioner and the Ontario Information and Privacy Commissioner have been informed of the breach.

CNET: UK watchdog shows how political parties exploit Facebook, personal data

"It didn't take long for the cannabis industry to be treated like any other one and turned into a target for cyber attacks, this time exposing addresses and names or initials that are most likely out in the Dark Web," Don Duncan, director at NuData Security told ZDNet. "While names and addresses are always useful to cybercriminals, companies can devalue that personally identifiable information by adding a layered security solution that includes passive biometrics and behavioral analytics so that customers are also identified by their online behavior."

ZDNet has reached out to OCS and will update if we hear back.

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards