Canada Post has sent a notification of a data breach to 44 of its business partners, who in turn count about 950,000 customers. According to the news that come from Canadian media, one of the agency’s software suppliers fell victim to a malware attack. The software in question is a product of Commport Communications, a vendor of data interchange solutions. Canada Post was using a solution from that supplier to manage the shipping manifest data of large parcel business customers.
The problem became known to the agency on May 19, 2021, while the accessed and potentially stolen information ranges from July 2016 to March 2019. The types of data that have been compromised include names and addresses of customers, and in 3% of the entries, they also contain an email address and a phone number.
This doesn’t sound very critical or exposing, but names and physical addresses are still sensitive data that can be used for scamming social engineering, and even postal phishing. As such, the agency also notified the Office of the Privacy Commissioner.
Commport Communications was actually compromised by the Lorenz ransomware gang back in November 2020. The firm had investigated the incident back then but didn’t find any evidence of data exfiltration, so they assured Canada Post that no customer data had been compromised. However, two weeks ago, users of a popular hacking forum started posting the stolen dataset, offering it for purchase, or even sharing it freely. Soon, the software vendor analyzed the sample and confirmed that a data breach had occurred after all.
Canada Post was disappointed by this development and promise to enhance their cybersecurity approach henceforth. Obviously, trusting third parties with your customer data and just taking their word when the time to investigate security incidents comes isn’t working well for them.
As for Lorenz, this is a ransomware group that surfaced in the media only recently, with their ransom demands being around 14 Bitcoin. The group uses the same encryptor as ThunderCrypt, but it’s not clear if this is a rebranding or if one group sold its tool to another. As we see now, though, Lorenz had some notable breaches long before they launched a leaks site, and Commport Communications was one of them.