TORONTO — Canada Post publicly admitted to a privacy breach involving thousands of Ontario’s online cannabis customers on Wednesday after the province’s only outlet for legal recreational marijuana notified clients of the problem.
The postal service said in a statement that someone had used its delivery tracking tool to gain access to personal information of 4,500 customers of the Ontario Cannabis Store but declined to identify the information.
“Both organizations have been working closely together since that time to investigate and take immediate action,” Canada Post said in a statement. “As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information.”
Canada Post notified the online cannabis store on Nov. 1 about the breach, both organizations said.
In a statement on Wednesday, the Ontario Cannabis Store said it referred the matter to the province’s privacy commissioner. The statement also said the store had “encouraged” Canada Post to take immediate action to notify its customers.
“To date, Canada Post has not taken action in this regard,” the store said in its statement. “Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers.”
In response, a spokesman for Canada Post said it had explained to the cannabis store that it did not have contact information for the pot buyers.
According to the online store, the compromised information included postal codes and the names or initials of the person who accepted delivery of the marijuana.
No other order details were included, such as the name of the person who made the order — unless it was the same as the individual who signed for delivery — or the actual delivery address or payment information, the statement said.
OCS said customers who did not receive an email notification were not part of the breach.
Ontario’s privacy commissioner, Brian Beamish, called the breach “unfortunate” but said it appeared the risk to customer data was limited.
“I’m certainly pleased that OCS took the step of notifying people of the breach and making it public,” Beamish said in an interview. “That level of transparency is good.”
Important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information
Given that the vulnerability occurred through Canada Post, Beamish said any further privacy action rested with the federal commissioner, who did not immediately comment.
While marijuana ordered through the Ontario Cannabis Store is legal, privacy concerns are especially acute given the hard line taken by American authorities, who have made it clear that Canadians who admit to using pot could be refused entry to the U.S. or deemed inadmissible for life.
“I wouldn’t say I am worried (about this breach) but I am concerned any time my personal information is hacked,” said one customer, who received the email from the cannabis store. “I would prefer you not use my name only because I might like to continue to be admissible to U.S.A.”
According to the store, the breach occurred when an individual used the Canada Post tracking tool to access delivery data, and also potentially affected customers of other Canada Post clients.
“The OCS has worked closely with Canada Post to identify the cause of this issue and to prevent any further unauthorized access to customer delivery information,” the store said. “Canada Post has advised that any information obtained was deleted and not further disclosed.”
Canada Post said it was confident the individual who accessed the information only shared it with Canada Post and deleted it without distributing further.