Canada Post leaks sensitive information of thousands of cannabis buyers

Any of the thousands of Canadians who bought legal cannabis in Ontario in the past two weeks may have been the victim of a personal data leak, thanks to weak security at Canada Post Corporation, Motherboard reported. Two weeks ago, Canada became the second country to legalize recreational cannabis, which naturally put a strain on postal services that had already been on a rotating strike for weeks.

The security incident was caused by an OCS customer who “used OCS reference numbers” and the Canada Post website to steal information. The person had access to the type of products delivered, name of person who signed for the package, postal code and delivery date. The exact address, payment information and buyer names were not compromised.

Ontario Cannabis Store (OCS) released a privacy update on Twitter on Wednesday reassuring users that privacy and security are top priorities.

OCS said it was informed on Nov. 1 that “limited delivery information of information of approximately 2 percent of OCS customer orders (approximately 4,500 orders) was accessed by an individual through the Canada Post delivery tracking tool. Delivery data shared with the OCS also included information relating to customers of other Canada Post clients.”

The Office of the Information and Privacy Commissioner (IPC) of Ontario was immediately informed of the security incident and worked with OCS to detect the cause of the breach and prevent similar issues in the future. According to OCS, even though Canada Post was urged to notify customers, at the time of the privacy update on November 7 they had not done so.

“Both [Canada Post and OCS] have been working closely together since that time to investigate and take immediate action,” said Canada Post for Motherboard. “As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information. We have also shared with OCS that we are confident that the customer who accessed the information only shared it with Canada Post and deleted it without distributing further.”

Leave a Reply