Canada Post has suffered a data breach impacting 44 of its business clients which lead to 950,000 receiving customers being compromised.
97% of the accessed data, spanning from July 2016 to March 2019, contained receiving customer names and address information. Forensic investigations did not find evidence of any financial data compromise.
This breach occurred through Commport Communications - a third-party vendor hired by Canada Post to manage the shipping manifest data of its large business clients.
But this was not a sudden third-party breach. This event is believed to be linked to a ransomware attack Commport Communications suffered back in December 2020.
At the time, Commport Communications was confident that the ransomware attack, launched by Lorenz, did not impact Canada Post and advised the postal service that their data was safe.
But behind the scenes, Lorenz was publishing 35.3 GB of the data allegedly stolen from the ransomware attack on the dark web.
Data leaks are overlooked attack vectors, and many organizations are unknowingly depositing them.
A data leak is any accidental or unauthorized exposure of sensitive data. When cybercriminals discover data leaks, it could arm them for a devastating data breach. So by shutting down third-party data leaks before they’re discovered, third-party breaches and supply chain attacks will be significantly reduced.
The string of third-party breaches that have rocked the business world since the SolarWinds incident demonstrates that vendors can no longer be trusted - not for their cybersecurity efforts, nor their cyber incident communications. Biden’s Executive Order aims to change this.
The lack of data breach transparency could be due to either a conscious or subconscious bias. Vendors are partial to the preservation of their reputation, and so their statements cannot be the only source of information about a data breach they’ve suffered.
A preserved reputation, at the expense of 6 months of sensitive data leakage, hardly seems like a fair exchange.