Canada Post Admits Privacy Breach Of 4500 Ontario Cannabis Store Customers

Canada Post Admits Privacy Breach Of 4500 Ontario Cannabis Store Customers

3 Weeks In, Canada Has a Legal Pot Problem

(Newser) – A marijuana retailer in Newfoundland is summing up the sentiment three weeks after recreational cannabis became legal across Canada. "We need more weed!" Trevor Tobin tells the New York Times, adding suppliers don't have enough plants or packaging equipment to meet soaring demand. It's a problem next door in New Brunswick, where 10 of 20 legal stores were temporarily closed Monday due to supply issues. Quebec's 12 cannabis stores are now closed three days a week, while issues including a postal strike have delayed weed deliveries in Ontario, prompting some to return to illegal dealers. A Health Canada rep says issues are to be expected given "the launch of an entirely new regulated industry" with no dependable indicator of demand.

"It's hard to find know-how in an industry that was prohibited," adds Mandesh Dosanjh of British Columbia's Pure Sunfarms, who cites challenges like having to learn the art of growing cannabis at scale, fashion new supply chains, and accommodate Health Canada inspectors. Still, a rep for Quebec's cannabis agency understands the frustration among consumers. "Producers can add more people to try and meet demand, but that won't make the plants grow any faster," he says. Per the Toronto Star, industry insiders say a move toward automation may be necessary to speed up production in a cost-effective way, with shortages likely to continue until 2020. (Legal pot is coming to more US states.)  

Video: Ontario Cannabis Store data breach affects thousands

The decision to make recreational cannabis legal in Ontario, Canada, has been fraught with problems and now has been tarnished by a data breach at Canada Post.

According to a Canada Post spokesperson, the individual responsible for the breach was an OCS customer using OCS reference numbers to obtain other peoples information through the Canada Post website. The information accessed included the nature of the delivery—cannabis products from OCS—the name or initials of the person who signed for the delivery, their postal code, and the date of the delivery.

On Wednesday, the Ontario Cannabis Store (OCS) revealed the security incident on Twitter, saying that an unnamed individual was able to access the order records of 4,500 customers, or roughly two percent of the firms customer base.

The compromised information included names or the initials of nominated signatories, postcodes, dates of delivery, OCS reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses.

Specific delivery addresses, payment information, and the names of people who actually placed the orders (versus signing for them when they come to the door) were not disclosed in the breach, the OCS news release states. The retailer itself was not impacted by the intrusion but nonetheless its notified affected customers.

However, OCS insists that the name of buyers — unless they were accepting delivery — the full delivery address, contents of the order, and payment information were not compromised.

Smoking weed might now be legal in the area but this does not mean individuals taking advantage of the change in legislation would necessarily want their usage known — and no-one wants their personal data stolen and potentially leaked on the web, no matter the circumstances.

The breach was uncovered on November 1. Canada Post and OCS have been working together since this date to investigate how the data breach was allowed to take place, and OCS said a failure by Canada Post to inform customers led to the company taking action.

“RedeCan Pharm is a family owned and operated business in the heart of the beautiful Niagara escarpment. With more than 30 years of experience in agriculture, we are pleased to grow top quality medical marihuana as a licensed producer under the MMPR for a wide range of patients in the local community and nationwide. We aim to make our customers feel like a part of our family. Our goal is to enrich the lives of our customers with the best quality product alongside friendly support to assist you in your medical needs.”

“The OCS has encouraged Canada Post to take immediate action to notify their customers,” the cannabis supplier said. “To date, Canada Post has not taken action in this regard. Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers.”

Canada legalized recreational cannabis nationwide on October 17, 2018. Ontario is the largest province in Canada and is home to 39% of Canadians. In Ontario, recreational cannabis is only available online – retail outlets are expected to open in April 2019. The online-only nature of sales will limit recreational cannabis sales in the province, but that might be for the best, given current cannabis shortages. Sales here may also be lower due to an ongoing Canada Post strike.

Canada Post Breach Affects Private Data Of 4,500 Cannabis Customers In Ontario

Canada Post may be in hot water, but over 1,000 complaints have been received by the Ontario Ombudsman relating to OCS, including those describing billing issues, late deliveries, and poor customer service.

A data breach is likely the last thing OCS would want to face when already facing censure over sales — especially when the Ombudsman considered the problem severe enough to issue a press release — and while the regulatory body was only at the stage of monitoring the complaints, the security incident might escalate the situation, whether or not OCS was at fault in this instance.

The OCS is the only legal supplier in the region until April when private retailers are permitted to launch.

A Canada Post spokesperson told ZDNet that the individual behind the leak “only shared it with Canada Post and deleted it without distributing further.”

The postal service said in a statement that someone had used its delivery tracking tool to gain access to personal information of 4,500 customers of the Ontario Cannabis Store but declined to identify the information.

“Important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information,” the spokesperson added. “We are pleased that OCS has notified their customers of the issue and will continue to work together to provide customers with assurance that this is being fully addressed.”

The Federal Privacy Commissioner and the Ontario Information and Privacy Commissioner have been informed of the breach.

“It didnt take long for the cannabis industry to be treated like any other one and turned into a target for cyber attacks, this time exposing addresses and names or initials that are most likely out in the Dark Web,” Don Duncan, director at NuData Security told ZDNet. “While names and addresses are always useful to cybercriminals, companies can devalue that personally identifiable information by adding a layered security solution that includes passive biometrics and behavioral analytics so that customers are also identified by their online behavior.”

Posted in Ontario