Part of Cannabis and consumers
Canada Post acknowledged Wednesday that thousands of Ontario customers buying cannabis had their information breached.
The national mail service has not notified the buyers behind 4,500 orders who had their data compromised. The breach became public after the Ontario Cannabis Store issued a statement on Wednesday and e-mailed affected customers the same day.
Ontario’s only legal outlet for recreational cannabis said it was notified last Thursday by Canada Post that someone had gained access to information such as postal codes and the names or initials of the adult who signed for the delivery of the marijuana. Other data such as the name of the person who made the order – unless the same person signed for delivery – the full delivery address or payment information were not affected, the OCS statement said.
The cannabis agency said it immediately referred the issue to the provincial Privacy Commissioner and “encouraged” Canada Post to take quick action to notify its customers.
“To date, Canada Post has not taken action in this regard,” the store said. “Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers.”
Canada Post said in a statement on Wednesday that it told the OCS it could not notify the customers affected by the breach because it did not have their contact information. The OCS said the orders accessed represented about 2 per cent of all licensed transactions completed in the province since the drug was legalized three weeks ago.
Canada Post said five companies had their names exposed in the breach, but would not clarify whether those five companies were customers of the cannabis store or were doing other business with the federal Crown corporation. Shopify, which handles the e-commerce platform for Ontario and other provincial cannabis outlets, said it was not involved in the incident.
Canada Post said it learned of the breach after an OCS customer contacted the postal service saying he had been able to access the information of other people’s orders and urged Canada Post to review the situation.
The Crown corporation said it was confident the individual who accessed the information only shared it with the company and deleted it without distributing further. But Canada Post could not explain how they verified that only one person had accessed the data.
A spokesman for Canada Post would not say when the individual let the postal service know he had accessed the information. In a statement, Canada Post said it had been working with the OCS since last Thursday and has now fixed the problem.
“Both organizations have been working closely together since that time to investigate and take immediate action,” Canada Post said in a statement. “As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information.”
Ontario’s Privacy Commissioner, Brian Beamish, called the breach “unfortunate” but said it appeared the risk to customer data was limited. Mr. Beamish praised the cannabis store for notifying people about the breach and going public.
“That level of transparency is good,” Mr. Beamish said in an interview.
Given the vulnerability occurred through Canada Post, Mr. Beamish said any further privacy action rested with the federal Privacy Commissioner. A spokesperson said the federal commissioner’s office had been in contact with its provincial counterpart.
"We are also engaging with Canada Post to better understand what occurred and what is being done to mitigate the situation," spokeswoman Tobi Cohen said.
In answer to an opposition question on Wednesday, Prime Minister Justin Trudeau told the House of Commons the breach was fixed and would not be repeated.
Ronak Shah, a Toronto-based lawyer who specializes in privacy law, said this incident underscores how two organizations interpret their different obligations to customers under the separate provincial and federal privacy laws. In this instance, he said, it appears Canada Post took the position that it was a vendor to the OCS and, thus, the responsibility to notify the affected customers lay with the provincial outlet.
With a report from The Canadian Press