The primary postal service operator of Canada, Canada Post, suffered from a massive data breach that reportedly affects approximately 950,000 parcel recipients. The company acknowledged the data security incident in a press release dated last Wednesday, May 26, 2021.
Canada Post currently serves around 16.5 million business and residential addresses in the whole of the country. It is the leading postal operator in Canada, hiring third-party service provider Commport Communications to aid in its operations.
According to Infosecurity Magazine, Commport Communications specializes in providing customers with electronic data interchange solutions. It is responsible for providing Canada Post with managing its shipping manifest data for its large business customers.
In its press release, the primary postal operator said that it had already informed 44 of its large business customers, saying that these large businesses may have been compromised by a malware attack via its third-party supplier, Commport Communications.
The third-party supplier initially notified Canada Post about the incident on May 19, 2021, saying that its systems have been compromised in a malware attack.
In its report, Bleeping Computer said that the malware responsible for the incident is called the Lorenz ransomware operation. The news site said that the threat actors behind the operation first posted about the attack in their data leak site in December of last year, with the ransomware gang compromising and leaking a total of 35.3 gigabytes.
Besides the 44 large business customers, 950,000 parcel recipients were also made vulnerable by the ransomware attack. The accessed data of customers include their names, the contact details of both the sender and receiver, as well as the mailing addresses of users, notes Bleeping Computer.
These files came from company record dating from July 2016 to March 2019. Besides the aforementioned details, three percent of the affected parties also had their email address and phone number compromised.
In a statement, Canada Post maintains that “After a detailed forensic investigation, there is no evidence that any financial information was breached. In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950 thousand receiving customers.”
Following the data breach, the leading postal operator of Canada has taken to working with external cybersecurity experts to further investigate the issue. They have notified affected customers and are extending aid to individuals whose information might be compromised. Based on their press release, Canada Post has also notified the Privacy Commissioner.
Infosecurity Magazine states that the postal operator looks to enhance their approach to cybersecurity in the future.