Canada Post confirms data breach involving Ontario Cannabis Store customer information

Published: November 9, 2018



Just weeks into Canada’s legalization of cannabis for recreational purposes, Ontario’s framework for managing pot distribution is already under question. Canada Post has confirmed it suffered a privacy breach that has affected thousands of online cannabis customers in Ontario.

The province’s only current retailer of marijuana for recreational use was affected by the breach after bad actors accessed the Ontario Cannabis Store (OCS) tracking tool. Canada Post says the personal data of 4,500 customers was compromised.

“Both organizations have been working closely together since that time to investigate and take immediate action,” Canada Post said in a statement. “As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information.”

The breach occurred late last month, and Canada Post informed the Ontario Cannabis Store on Nov.1, the organization said. Details from the online retailer suggest breached data included customer names and postal codes.

Minimal Data Loss

In a confirmation press release this week, the retailer said the case is now with Ontario’s privacy commissioner for investigation. Ontario Cannabis Store also urged Canada Post to notify customers, something the company says has yet to happen.

“To date, Canada Post has not taken action in this regard,” the store said in its statement. “Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers.”

Canada Post contests the criticism and says it cannot inform customers because it does not have contact information for the Store’s clients. Ontario privacy commissioner, Brian Beamish, said while the breach is problematic, there was not major risk to public data.

“I’m certainly pleased that OCS took the step of notifying people of the breach and making it public,” Beamish said in an interview. “That level of transparency is good.”