Canada Post corporate customers in data breach

Canada Post has informed 44 of its large business customers of a data breach caused by a malware attack on one of its suppliers, Commport Communications.

The supplier notified Canada Post late last week (on May 19) that manifest data held in their systems, which was associated with some Canada Post customers, had been compromised.

Commport Communications is an electronic data interchange (EDI) solution supplier used by Canada Post to manage the shipping manifest data of large parcel business customers.

Shipping manifests typically include sender and receiver contact information on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it.

Canada Post said that after a detailed forensic investigation, there is no evidence that any financial information was breached. In all, the impacted shipping manifests for the 44 commercial customers contained information relating to more than 950,000 receiving customers.

The compromised information is from July 2016 to March 2019, and 97% contained the name and address of the receiving customer. The remaining three percent contained an email address and/or phone number.

In November 2020, Commport Communications notified Innovapost, Canada Post’s IT subsidiary, of a potential ransomware issue, which was investigated with Commport Communications advising there was no evidence to suggest any customer data had been compromised at that time.

Canada Post and Commport Communications and have engaged external cyber security experts to investigate and take action. Impacted business customers are being notified of the breach. The Office of the Privacy Commissioner has also been notified.

Canada Post said it will continue to engage external cyber security experts to conduct additional forensic work and assist in the ongoing investigation with Commport Communications.