May 27, 2021 – Canada’s mail carrier informed its customers of a malware attack that impacted 44 of its biggest corporate customers across the country and potentially up to nearly one million people on Wednesday. The breach reportedly occurred between July 2016 and March 2019.
Canada Post said the data breach was caused by a malware attack on one of their suppliers, Commport Communications. They said the supplier told Canada Post on May 19 that manifest data held in their systems, which was associated with some Canada Post customers, had been compromised.
Commport Communications is an electronic data interchange (EDI) solution supplier used by Canada Post to manage the shipping manifest data of large parcel business customers. Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it.
After a detailed forensic investigation, Canada Post said there is no evidence that any financial information was breached. They reported that 97 per cent contained the name and address of the receiving customer and the remaining three per cent contained an email and/or phone number.
“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” Canada Post said in their statement. “We are proactively informing the impacted business customers and providing the information and support necessary to help them determine their next steps. As well, the Office of the Privacy Commissioner has been notified.”
Canada Post said it will continue to engage external cyber security experts to conduct additional forensic work and assist in the ongoing investigation with Commport Communications.
“We have already implemented proactive measures and will continue to take all necessary steps to mitigate the impacts. Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cyber security approach which is becoming an increasingly sophisticated issue.”