The details of some 44 commercial customers of Canada Post covering about 950,000 receiving customers is believed to have been stolen following a cyberattack that targeted a key supplier.

In a statement May 26, Canada Post said it had been told May 19 by Commport Communications International Inc., an electronic data exchange solution supplier used by the corporation, that it had suffered a data breach. The data stolen related to shipping manifest data held in its systems that was associated with some Canada Post customers.

“Shipping manifests are used to fulfill customer orders,” Canada Post explained. “They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it.”

The stolen data covered July 2016 to March 2019, with 97% of the records consisting of only the names and addresses of the receiving customer. The remaining 3% also included email addresses or phone numbers.

Canada Post claims that a detailed forensic investigation into the data breach had found no evidence of financial data being stolen. “We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” Canada Post added.

The exact form of the attack was not detailed and Commport Communications has not made any public statement on the data breach. That said, it’s believed that the attack involved the Lorenz ransomware group.

Bleeping Computer reported May 27 that Lorenz posted on its data leak site in December that it had breached Commport Communications during a ransomware attack. Since then, the group has published 35.3 gigabytes of data allegedly stolen in the attack.

The Lorenz ransomware group started making headlines earlier this month. It is a double-tap ransomware group that both encrypts and steals files, demanding a ransom payment for both a decryption key and a promise not to publish stolen data.

“Cybercriminals work to achieve two things — money and data they can sell for money,” James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Data breaches where they can steal names, email addresses and phone numbers are a good source of revenue and can be added to more extensive, accumulated data from other breaches.”

What they do is cross-reference the information to create and verify a digital profile of individuals, McQuiggan explained. “This action helps increase the confidence of the data for the cybercriminal to create targeted or spear-phishing emails to lure the victim into clicking a link and gaining access to their system,” he said.

Demi Ben-Ari, chief technology officer and founder of security management firm Panorays Ltd., noted that it may not seem obvious that a supplier that manages shipping data for a postal agency would be the entry point for a cyberattack, but that’s exactly what happened here.

“Cyber incidents such as these illustrate why it’s so essential for organizations from every industry to assess and continuously monitor all of their third parties in order to pinpoint and close cyber gaps,” Ben-Ari said. “This can be accomplished most effectively with a combination of external attack surface assessments and customizable automated security questionnaires, while also considering business context.”

Photo: Phillip Jeffrey/Flickr