Canada Post’s relaxed data security leaves cannabis users vulnerable

A data breach has hit Canada Post, potentially affecting thousands of Canadian cannabis users who ordered marijuana online, CTV news reports.

Clients were notified immediately after the online legal retailer of recreational drug discovered the problem, it is believed.

Hackers broke into Canadian Post’s delivery-tracking tool, to gain access to the personal details of 4,500 customers of the cannabis store in Ontario.

The postal service has not identified precisely what information has been compromised, but maintains the online cannabis retailer was informed of the breach on November 1st.

In a statement, the Canada post said:

“Both organisations have been working closely together since that time to investigate and take immediate action. As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information.”

The retailer in question – the Ontario Cannabis Store – said the matter had been forwarded to the province’s privacy commissioner, and affirmed the store had “encouraged” Canada Post to notify customers immediately.

“To date, Canada Post has not taken action in this regard. Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers,” the store said.

A Canada Post spokesperson said the cannabis retailer had been told that the postal service did not have contact information of the recreational drug buyers, but the retailer says post codes, names and or initials of those who accepted delivery of the drug may have been compromised.

Details including the name of those who made the initial order, delivery addresses and payment data were not affected, the statement said.

Privacy commissioner for the province of Ontario, Brian Beamish, said the breach was “unfortunate” but added that impact on users appeared to be limited. Mr Beamish applauded the cannabis retailer for being open and honest about the breach and going public promptly, commenting “that level of transparency is good”.

The federal commissioner will now be responsible for any action taken because the vulnerability appeared through Canada Post, Mr Beamish said.

Freedom implications

Canadian prime minister, Justin Trudeau told the House of Commons this week that the breach had been “flagged and fixed” and would not happen again.

But those affected by the breach fear that their ability to access the USA might be impacted; the States do not look kindly upon individuals with a history of drug use trying to enter the country, even if the drug was consumed legally in the traveller’s country of origin.

An anonymous user involved in the data breach said:

“I wouldn’t say I am worried (about this breach) but I am concerned any time my personal information is hacked. I would prefer you not use my name only because I might like to continue to be admissible to U.S.A.


The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.

Pre-registration for DPWF 2019 will be opening in the coming weeks.

https://www.dataprotectionworldforum.com/