Canada’s primary postal operator, Canada Post, confirmed Wednesday that it has suffered a data breach.
The security incident occurred following a cyber-attack on one of the Crown corporation’s suppliers, Commport Communications, which provides electronic data interchange solutions.
Commport Communications was hired by the postal service to manage the shipping manifest data of its large parcel business’ customers.
Following the cyber-attack, Canada Post has informed 44 of its commercial customers that data belonging to more than 950,000 customers has been compromised.
Commport Communications notified Canada Post that manifest data stored in its systems had been exposed in a malware attack on May 19.
“Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it,” said Canada Post on Wednesday in a press release.
The corporation said that exposed information dates from July 2016 to March 2019 and that most of it (97%) contains the name and address of the receiving customer. The customer’s email address and/or phone number were included in 3% of the compromised data.
Canada Post said that a detailed forensic investigation into the data breach had not turned up any evidence of financial information’s being compromised.
“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” Canada Post said.
Though the breach hit Canada Post customers via an attack on a supplier, the corporation said they “sincerely regret the inconvenience this will cause our valued customers” and have notified the Office of the Privacy Commissioner.
“Canada Post respects customer privacy and takes matters of cybersecurity very seriously,” said the corporation.
The postal operator added that it will “incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cybersecurity approach which is becoming an increasingly sophisticated issue.”
Last November, Commport Communications notified Innovapost, the IT subsidiary of Canada Post, of a potential ransomware issue. An investigation found no evidence to suggest any customer data had been compromised.