Canada Post has informed 44 of its large business customers of a data breach caused by a malware attack on one of our suppliers, Commport Communications. The supplier notified Canada Post late last week (on May 19) that manifest data held in their systems, which was associated with some Canada Post customers, had been compromised.
Commport Communications is an electronic data interchange (EDI) solution supplier used by Canada Post to manage the shipping manifest data of large parcel business customers. Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it.
After a detailed forensic investigation, there is no evidence that any financial information was breached. In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950 thousand receiving customers. After a thorough review of the shipping manifest files, we’ve determined the following:
- The information is from July 2016 to March 2019
- The vast majority (97%) contained the name and address of the receiving customer
- The remainder (3%) contained an email address and/or phone number
While the breach occurred via a supplier, Canada Post respects customer privacy and takes matters of cyber security very seriously. We also sincerely regret the inconvenience this will cause our valued customers. In November 2020, Commport Communications notified Innovapost, Canada Post’s IT subsidiary, of a potential ransomware issue, which was investigated with Commport Communications advising there was no evidence to suggest any customer data had been compromised at that time.
We are now working closely with Commport Communications and have engaged external cyber security experts to fully investigate and take action. We are proactively informing the impacted business customers and providing the information and support necessary to help them determine their next steps. As well, the Office of the Privacy Commissioner has been notified.
Canada Post will continue to engage external cyber security experts to conduct additional forensic work and assist in the ongoing investigation with Commport Communications. We have already implemented proactive measures and will continue to take all necessary steps to mitigate the impacts. Canada Post will also incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cyber security approach which is becoming an increasingly sophisticated issue.