On October 17, 2018, marijuana became legal in Canada. 15 days later, Ontario suffered a data breach in one of its stores.
The breach itself, weighing in at a mere 4,500 records, may not seem like much, but the timeline can certainly turn heads. On October 17, cannabis became legal in Canada. The legalization was seen by some as a major policy shift likened to alcohol prohibition coming to an end.
In the days since, the federal and provincial governments have been launching information campaigns to inform the public on what legalization means. Mixed in are key selling points on how legalization benefits society. Examples include taking money out of the hands of criminals as well as keeping cannabis out of the hands of minors.
15 days later, it seems that criminals are still getting potential financial benefits from marijuana. Instead of simply selling the legalized product, they are going after people’s personal information instead. A report from CBC:
The Ontario Cannabis Store says a data breach through Canada Post has affected information from 4,500 customers.
In a privacy update on its website, the OCS said the breach late on Nov. 1 affected about two per cent of its customer orders, and information was accessed by a person using a Canada Post delivery tracking tool.
The OCS said it has informed Ontario’s privacy commissioner of the breach and all affected customers.
“Since Nov. 1, the OCS has worked closely with Canada Post to identify the cause of this issue and to prevent any further unauthorized access to customer delivery information,” the OCS said.
Delivery information that was disclosed includes:
– Postal codes.
– Names, or initials or people who signed upon delivery.
– Date of delivery.
– OCS reference numbers.
– Canada Post tracking numbers.
– OCS corporate names and business addresses.
If the selling point of legalization is an increase or enhancement of public safety, this breach will certainly complicate that selling point.
With so many Canadians flocking to legal stores to the point that the shelves are empty, that no doubt will become an attractive target for data thieves in general. The reason it is so attractive is that not only are there going to be the number of people that could have their information in the system, but also the fact that such information is so fresh still. In addition to this, there will no doubt be elements of the system that are going to be new, so there are going to be security challenges from the get-go.
On top of it all, there’s the potential for bragging rights in the black hat community. Who is going to be the first to break into the legal marijuana industry in Canada? Clearly, we’ve already seen one breach in a mere 15 days which is so bad, it’s impressive. For all we know, this won’t be the last security lapse in the system as well.