Canada's Post Office Leaked Personal Data of Legal Weed Customers

The rollout of legal weed in Ontario has been a disaster, and now it can add a privacy breach to its growing list of woes.

|
Nov 7 2018, 7:03pm

Image: Flickr/Stacey DaPonte

The rollout of legal pot in Canada’s most populous province, Ontario, has been an unmitigated disaster with weeks-long delays for weed deliveries and more than 1,000 formal citizen complaints. Now, Ontario’s cannabis regime can add a breach of sensitive information to its growing list of woes.

According to a news release from the Ontario Cannabis Store (OCS), posted to Twitter on Wednesday, an individual accessed information on roughly 4,500 orders through the Canadian postal service’s delivery tracking tool, which account for about two percent of all orders placed through the online retailer.

According to a Canada Post spokesperson, the individual responsible for the breach was an OCS customer “using OCS reference numbers” to obtain other people’s information through the Canada Post website. The information accessed included the nature of the delivery—cannabis products from OCS—the name or initials of the person who signed for the delivery, their postal code, and the date of the delivery.

Specific delivery addresses, payment information, and the names of people who actually placed the orders (versus signing for them when they come to the door) were not disclosed in the breach, the OCS news release states. The retailer itself was not impacted by the intrusion but nonetheless it’s notified affected customers.

When reached for comment, OCS spokespeople directed Motherboard to the retailer’s news release.

Canada Post—which has been administering nationwide rotating strikes for weeks due to stalled contract negotiations—notified the retailer of the breach on November 1, two weeks after recreational cannabis use was legalized in Canada. According to a Canada Post spokesperson, the OCS customer who accessed the sensitive information shared it with Canada Post and it has since been destroyed.

“Both [Canada Post and OCS] have been working closely together since that time to investigate and take immediate action,” a Canada Post spokesperson wrote Motherboard in an emailed statement. “As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information. We have also shared with OCS that we are confident that the customer who accessed the information only shared it with Canada Post and deleted it without distributing further."

With a privacy breach now added to the mix, Ontario’s system for legal cannabis is looking messier than it already did. And that’s saying something.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.