Canada Post has sustained a supply chain attack that has left the data of 950,000 senders and receivers exposed for hackers to copy.
In a statement, the post office explained that its electronic data interchange (EDI) solution supplier Commport Communications was hit by cyberattackers. Commport Communications manages the shipping manifest data of its large parcel business customers.
The attackers managed to copy shipping manifests for 44 of the post office’s commercial users, resulting in the data of just over 950,000 senders and receivers being stolen. Canada Post said that after a comprehensive review of the shipping manifest, it concluded that 97% of the data contained only the name and address of the receiving customer. The remaining 3% of the data contained an email address or phone number.
Canada Post said that it was initially notified of a possible data breach problem last November. At that time, the post office notified its IT subsidiary Innovapost of a “potential ransomware issue.” Also, during that time, Commport said that it found no evidence to suggest that any customer data was compromised.
But in its recent statement, Canada Post said that it was notified just last week by Commport that the manifest data from July 2016 to March 2019 had been compromised by cyberattackers.
IT World Canada reported that the attack is likely to be the work of the ransomware group Lorenz. Cybersecurity company Emsisoft noted that Commport Communications was listed on the Lorenz breach website, which claimed to have posted copies of allegedly stolen files on December 20, 2020.
Bleeping Computer spoke with a researcher that said that Lorenz is a relatively new ransomware group, having only emerged this April. However, Emsisoft noted that Lorenz’s code is based on another ransomware, ThunderCrypt, which leads experts to believe that Lorenz is a rebrand of ThunderCrypt instead of being a separate group.