Canada Post Pwned… Data On 950,000+ Customers Has Been Compromised

Thanks to a malware attack on one of its suppliers, Canada Post has been pwned by hackers. Canada’s postal carrier put out a release on this today:

Canada Post has informed 44 of its large business customers of a data breach caused by a malware attack on one of our suppliers, Commport Communications. The supplier notified Canada Post late last week (on May 19) that manifest data held in their systems, which was associated with some Canada Post customers, had been compromised.

Commport Communications is an electronic data interchange (EDI) solution supplier used by Canada Post to manage the shipping manifest data of large parcel business customers. Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it.

After a detailed forensic investigation, there is no evidence that any financial information was breached. In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950 thousand receiving customers. After a thorough review of the shipping manifest files, we’ve determined the following:

  • The information is from July 2016 to March 2019
  • The vast majority (97%) contained the name and address of the receiving customer 
  • The remainder (3%) contained an email address and/or phone number

Here’s the problem with this. It’s 2021 and the data is from 2016 to 2019. And the planet is only finding out about this today. That’s a #fail. Sure Canada Post notes that it will engage external cybersecurity experts to conduct additional forensic work and that the Office of the Privacy Commissioner has been notified. But that’s not good enough given how much info and the timeframe that this info spans. Hopefully the Privacy Commissioner slaps Canada post silly over this as this is not acceptable.

And I have to wonder if the 950,000 customers will be notified? Based on the Canada Post press release, I don’t think so. But they are free to surprise me.

UPDATE: I have a comment on this hack from David Masson, Director of Enterprise Security for Darktrace: 

This attack follows the rising trend of hackers infiltrating organizations via the supply chain. From the SolarWinds Orion campaign to the recent attack on Centreon software, we can be in little doubt complex digital supply chains are a hacker’s paradise. 

Canada Post are just the latest victim in what is a new era of cyber-threat, one where attackers exploit supply chain vulnerabilities to launch mass attacks with maximum return on their investment. The volume of data breached indicates that malicious activity had been going on for some time unnoticed, with hackers lurking on systems with their finger on the trigger.  

These silent and stealthy attacks are virtually impossible to detect with traditional security tools and companies today must adopt a zero-trust policy when it comes to third-party suppliers. Perimeter defences won’t work – these attacks come from the inside. That’s why thousands of organizations today rely on cutting-edge technology like AI to identify the subtle indicators of this malicious activity wherever it emerges, and thwart it before damage is done. 

Leave a Reply

%d bloggers like this: