TORONTO — Canada Post publicly admitted to a privacy breach involving thousands of Ontario’s online cannabis customers on Wednesday after the province’s only outlet for legal recreational marijuana notified clients of the problem.
The postal service said someone had used its delivery-tracking tool to gain access to personal information of 4,500 customers of the Ontario Cannabis Store but declined to identify the data.
“Both organizations have been working closely together since that time to investigate and take immediate action,” Canada Post said in a statement. “As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information.”
Canada Post notified the online cannabis store on Nov. 1 about the breach, both organizations said.
In a statement on Wednesday, the Ontario Cannabis Store said it referred the matter to the province’s privacy commissioner. The statement also said the store had “encouraged” Canada Post to take immediate action to notify its customers.
“To date, Canada Post has not taken action in this regard,” the store said. “Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers.”
In response, a spokesman for Canada Post said it had explained to the cannabis outlet that it did not have contact information for the pot buyers.
According to the online store, the compromised information included postal codes and the names or initials of the person who accepted delivery of the marijuana.
Other data such as the name of the person who made the order — unless the same person signed for delivery — the actual delivery address or payment information were not affected, the statement said.
Ontario’s privacy commissioner, Brian Beamish, called the breach “unfortunate” but said it appeared the risk to customer data was limited. Beamish praised the cannabis store for notifying people about the breach and going public.
“That level of transparency is good,” Beamish said in an interview.
Given the vulnerability occurred through Canada Post, Beamish said any further privacy action rested with the federal commissioner, who said through a spokeswoman that his office had been in contact with its provincial counterpart.
“We are also engaging with Canada Post to better understand what occurred and what is being done to mitigate the situation,” spokeswoman Tobi Cohen said.
In answer to an Opposition question Wednesday, Prime Minister Justin Trudeau told the House of Commons the breach was flagged and fixed and would not be repeated.
While marijuana ordered through the Ontario Cannabis Store is legal, privacy concerns are especially acute given the hard line taken by American authorities, who have made it clear Canadians who admit to even historical pot use could be refused entry or deemed inadmissible for life.
“I wouldn’t say I am worried (about this breach) but I am concerned any time my personal information is hacked,” said one customer, who received the email from the cannabis store. “I would prefer you not use my name only because I might like to continue to be admissible to U.S.A.”
According to the store, someone used Canada Post’s tracking tool to access delivery data, and the vulnerability also potentially affected customers of other postal clients.
“The OCS has worked closely with Canada Post to identify the cause of this issue and to prevent any further unauthorized access to customer delivery information,” the store said.
Canada Post said it was confident the individual who accessed the information only shared it with Canada Post and deleted it without distributing further.