Blog

Nearly a Million Accounts Compromised at Canada Post

july 01, 2021 | data breach
Canada Post Breach

Canada Post Data Loss Tops Nation's Breach List

Nearly one million customers of Canada Post have learned that hackers likely stole their data from a third-party vendor who provides services to the government agency.

A recent statement from Canada Post revealed that the thieves gained access to the system back in mid-2016 and weren't discovered until early 2019. That's nearly three years. The vendor did not notify Canada Post of the leak until November 2020.

Package shipping manifests tied to 44 commercial firms yielded the data as part of a malware and ransomware attack. Commport Communications, the vendor that suffered the breach, notified Canada Post once it determined its scope. According to investigators, the hack could have exposed data from roughly 950,000 customers.

"After a thorough review of the shipping manifest files, we've determined the following: information is from July 2016 to March 2019, the vast majority (97%) contained the name and address of the receiving customer, and the remainder (3%) contained an email address and phone number."

The mail service added, "After a detailed forensic investigation, there is no evidence that any financial information was breached."

For most victims, the loss of a name and delivery address could cause concern but not an acute one. On the other hand, roughly 28,500 individuals whose email addresses and phone numbers were exposed face far more significant risks.

How This Data Could Be Abused

For the 950,000 victims, there's no sure way to tell when intruders took their data. Abuse could have launched nearly five years ago, too. Here are some ways this data might be misused:

  • A simple name and address could deliver more junk mail to the customer's home
  • A home address could gather details about its owners to beef up a data profile that imposters use for identity theft.
  • Thieves could interview neighbors to glean more info about the 950,000 unique files leaked, such as vacation plans or the number of residents in the home
  • Hacked email addresses create additional layers of risk. This data generates new phishing attacks in which scammers send communications pretending they know you. Here the goal is to trick the recipient into clicking on dangerous links.
  • Email data also goes to consumer data files hackers keep to impersonate them in future scams.
  • Spam attacks including a recent one that asks users to confirm huge purchases you never made.
  • Con artists also collect leaked phone numbers to send barrages of fraud-riddled texts.

You probably won't be able to guard all your data points perfectly; with data breaches so prevalent, some info will get compromised. But protect each detail as best you can so hackers have more difficulty in profiling you for attacks.

More Breach Headaches

A significant data breach also hit students planning to study abroad. An Ontario-based provider named guard.me, which focuses on the education sector. Guard.me provides health coverage for students who travel or study abroad.

News reports state that intruders gained access to student data such as date of birth, gender, and passwords. Although the passcodes were encrypted, it's unclear if those codes were stored using solid encryption. An unknown percentage of impacted users also had mailing and email addresses compromised along with phone numbers.

The company website states that guard.me "was first in the industry to offer multi-language translations of policies, secure online services for enrollments and claims, insured security evacuations for outbound study, and mobile device apps for participants and institutional stakeholders."

Both clients and guard.me executives probably desire more security enhancements in the breach's wake. The company has reportedly decided to implement 2FA or two-factor authorization, sometimes called multifactor authorization or MFA.

2FA adds another layer of security. The client enters something they know--usually, a passcode—followed by a numeric code the website delivers via text or email.

At this writing, guard. me's website, which was paused in mid-May for damage assessment, is still only partially operational. The FAQ page on the website states the investigation has not wrapped up. Clients impacted have reportedly received official notifications.

Shield Yourself

If leaked data keeps you up at night, check all the details about you that IDShield service tracks. Emails, phone numbers, medical insurance numbers, and dates of birth are just the beginning.

IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage and conditions, please see www.idshield.ca. All Licensed Private Investigators are licensed in the state of Oklahoma. This is not intended to be legal advice. Please contact an attorney for legal advice or assistance. If you are a LegalShield member, you should contact your Provider Law Firm.

Learn more about protecting yourself against identity theft