User data on 950,000 packages exposed after Canada Post fell victim to third-party hack
User data on 950,000 packages exposed after Canada Post fell victim to third-party hack
Canada Post is the latest victim of a supply chain attack that allowed hackers to capture the names and addresses of approximately one million senders and recipients of the package over a period of three years.
The Post Office acknowledged this week that it was the result of a cyberattack on its electronic data interchange (EDI) solutions supplier, Comport Communications, which manages shipping manifest data from large parcel business customers.
Shipping manifest is used to fulfill customer orders. They typically include sender and receiver contact information on shipping labels, such as the names and addresses of the business sending the item and the receiving customer.
In the case of this hack, the shipping manifests of 44 of the post office's commercial users were copied containing information related to more than 950 thousand receiving customers. Canada Post stated that after an in-depth review of the shipping manifest files it was concluded that the vast majority (97 percent) had only the receiving customer's name and address. The remainder (3 percent) had an email address and/or phone number.
However, cyber experts note that crooks will use the email address for spam, spear-phishing and impersonation attacks.
Related Content:
Ontario Municipality Victim of Third Party Cyber Attack
The attack appears to be the work of a relatively new ransomware group called Lorenz. According to Brett Callow, a British Columbia-based cybersecurity researcher at Emsisoft, Comport Communications has been listed on the Lorenz breach site which allegedly claimed to have posted copies of the stolen files on December 20, 2020.
However, Bleeping Computer quoted a researcher as saying that Lorenz only emerged in April. Callow said that the code of the ransomware is based on the ThunderCrypt ransomware. There is speculation that Lorenz is a rebrand of Thundercrypt rather than a separate operation.
Canada Post says it was first informed of a potential problem last November. At the time, Comport told Canada Post's IT subsidiary InnovaPost about "a potential ransomware problem". According to the Post Office, at the time, Comport said "there was no evidence to suggest any customer data was tampered with." Canada Post said Comport had reported last week that manifest data it held between July 2016 and March 2019 had been compromised.
was not immediately available for comment. A man who identified himself as an executive assistant said Thursday afternoon that officials were taking the names and phone numbers of the media for follow-up.
In an email, David Mason, Ottawa-based director of enterprise security for Darktrace, said the amount of data copied indicates that malicious activity had been going on for some time.
The attack is further proof that the complex digital supply chain is "a hacker's paradise," he wrote. “Canada Post is the latest victim in a new era of cyber-threat, where attackers exploit supply chain vulnerabilities to launch massive attacks with maximum return on their investment.
“It is nearly impossible to detect these silent and covert attacks with traditional security tools and companies today must adopt a zero-trust policy when it comes to third party suppliers. Perimeter security will not work – these attacks come from inside So wherever thousands of organizations today rely on state-of-the-art technology like AI to identify subtle indicators of this malicious activity, and thwart it before the damage is done.”
The increase in supply chain hacks speaks to the vulnerability of Canada's critical infrastructure, said Rick Van Galen, a security engineer at Toronto-based 1Password.
“Unless there are robust cybersecurity improvements – protecting credentials, regularly applying patches, adopting greater system and design flexibility, ensuring suppliers are meeting the most basic security requirements, and regularly Incident response scenarios are being prepared and practiced – the costly impact of these attacks will continue.
"This is a signal to governments everywhere that data protection requirements have changed and that appropriate funding is needed to support the growing complexities of handling customer data."
Comport, which began business in 1985, provides a wide range of supply chain management solutions for electronic commerce, including electronic data interchange (EDI), value-added networks (VANs), and global data synchronization networks (GDSNs).
There is no shortage of examples of third-party or supply-chain hacks, the most recent of which include SolarWinds and Accelion.
No comments