A data breach suffered by the Canadian postal service, Canada Post, has exposed the information of 44 big businesses and impacted 950,000 customers.

The postal agency notified its customers operating large businesses that data was compromised following a malware attack on one of its dedicated suppliers.

Third-party breach leads to massive data leak

A recent notification from the postal service confirmed that the supplier of its interchange solution for electronic data, Commport Communications, had been hit by a malware attack. The manifest data associated with customers of Canada Post retained on the supplier’s systems was compromised in the incident.

The shipping manifest information of Canada Post’s large business customers is managed by Commport Communications. The postal agency commented on its agreement with the third-party supplier in a recent press release:

“Shipping manifests are used to fulfil customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it.”

However, Canada Post added that following a comprehensive forensic investigation into the malicious attack, no evidence has been found to suggest that any financial data was disclosed.

An in-depth investigation of a cyberattack

Like many other enterprises and organisations that suffer data breaches, Canada Post initiated an investigation. The purpose of forensic examinations of cyberattacks are manifold; they seek to identify the full extent of the damage caused to enterprises and data subjects, along with any potential risks that may emerge in the future. They also aim to discover how breaches occurred to mitigate the chance of them happening again and, if possible, identify the perpetrators behind attacks.

It is typical in such cases for businesses impacted to work closely with all parties involved, local law enforcement agencies, and specialists in cybersecurity.

Canada post commented:

“We are now working closely with Commport Communications and have engaged external cyber security experts to fully investigate and take action.”

The detailed investigation into the disclosed manifests revealed a raft of information regarding the attack. The data exposed included records from 2016 to 2019 with all files containing a variety of personally identifiable information (PII) on receiving customers, including names, addresses, email addresses and telephone numbers.

Canada Post stated that in November last year, Commport Communications had notified the postal service’s IT subsidiary, Innovapost, of a possible ransomware issue. However, after investigation, no evidence was uncovered suggesting that customer data had been disclosed.

Legislation in many countries around the world demands that agencies, organisations, and enterprises notify both the data subjects impacted by breaches and data regulators when an incident occurs. Canada Post followed the correct procedure and informed the Office of the Privacy Commissioner while taking a proactive approach to informing business customers affected by the breach and supplying them with support and detailed information.

The agency has stated it will use the incident and investigation to inform and enhance its cybersecurity approach, expanding it to include its suppliers and combat what is becoming an increasingly more sophisticated threat.