Canada Post informed 44 of its large business customers of a data breach due to a malware attack on one of its suppliers called Commport Communications. Read the news release here.
The vendor notified Canada post last week that the manifest data that contains the names and addresses of customers (both sender and receiver) and in few cases email addresses and phone numbers had been compromised. Canada Post uses this vendor to manage shipping manifest data of large parcel customers. Canada Post claims that no financial information was compromised, but the breach contains data of 950K receiving customers. 97% of the stolen data only contains names and addresses, and 3% contains the contact information.
Views might differ, but from privacy perspective the impact is minimal. Name and address is public information, and hackers are looking to steal financial information or find opportunities to sell data for financial gain. Name and Physical address doesn't give them that opportunity. The usable data is only 3% that they may be able to sell. These customers might see increased phishing/smishing attempts on their emails and sms messages.
The real facts on how the breach occurred are still unknown, I would be curious to know what vulnerability was exploited. It again stresses the importance of educating your employees and upgrading/patching your infrastructure.
It will take a lot of time to do forensics to find out the real damage, but Canada Post would now have to clean the servers, focus on data hygiene, and begin protective measures within and with all of their third party vendors.