4,500 Ontario cannabis customers have personal data stolen
OCS says Canada Post to blame, but info obtained was limited
The Ontario Cannabis Store says a data breach through Canada Post has affected information from 4,500 customers.
In a privacy update on its website, the OCS said the breach late on Nov. 1 affected about two per cent of its customer orders, and information was accessed by a person using a Canada Post delivery tracking tool.
The OCS said it has informed Ontario's privacy commissioner of the breach and all affected customers.
"Since Nov. 1, the OCS has worked closely with Canada Post to identify the cause of this issue and to prevent any further unauthorized access to customer delivery information," the OCS said.
Names of the people who made the orders were not obtained, if they were not the same as the people who signed for delivery, according to the OCS.
Delivery addresses, payment information and the contents of orders were also not released.
Delivery information that was disclosed includes:
- Postal codes.
- Names, or initials or people who signed upon delivery.
- Date of delivery.
- OCS reference numbers.
- Canada Post tracking numbers.
- OCS corporate names and business addresses.
The OCS said it has encouraged Canada Post to notify its customers of the breach.
Customers affected by the breach were notified by the OCS by email, it added.
If customers who have placed orders with the OCS did not receive an email notifying them of the breach, then their order delivery information was not obtained, it said.
According to the store, the breach also potentially affected customers of other Canada Post clients.
Privacy a priority, store says in letter
In a letter to affected customers that was obtained by CBC Toronto, Patrick Ford, the OCS's president and CEO, said privacy has been a concern of the store since it set up its website.
"The OCS takes privacy and security very seriously. Protecting customer information has been the number one priority since the development of OCS.ca," he writes.
Customers with questions are urged to call the OCS's customer service line at 1-888-910-0627.
Canada Post says 'fixes' in place
In a statement on Wednesday, Canada Post admitted to the breach involving someone using its delivery tracking tool, but it did not say what kind of personal information was obtained.
It also said it is working with the OCS to prevent a breach from occurring again.
"Both organizations have been working closely together since that time to investigate and take immediate action," Canada Post said.
"As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information."
Canada Post said it informed the store on Nov. 1 about the breach, and it has notified the federal and Ontario privacy commissioners.
As well, Canada Post said it was confident the individual who accessed the information only shared it with Canada Post and deleted it without distributing further.
Ontario's privacy commissioner, Brian Beamish, called the breach "unfortunate" but said it appeared the risk to customer data was limited.
"I'm certainly pleased that OCS took the step of notifying people of the breach and making it public," Beamish said in an interview. "That level of transparency is good."
With files from The Canadian Press