The names, shipping addresses, and order dates of more than 4,500 Ontario Cannabis Store (OCS) customers were exposed after an unauthorized individual accessed the database of the Canada Post postal service on November 1. The next day, the CEO of the Ontario Cannabis Retail Corporation sent a letter to the head of Canada Post demanding the government agency inform the affected customers. But word about the privacy breach only went out to customers on Wednesday, six days later. Now, Canadian officials are saying that the vulnerability that led to the November 1 data breach is a system-wide issue affecting Canada Post’s entire delivery tracking system.

Privacy Breach Exposes 4,500 Cannabis Customers’ Purchase Data

On October 17, Canada became just the second country in the world to legalize cannabis for adult use. But a patchwork of provincial regulations has led to the uneven implementation of legal retail industries. In Ontario, for example, retail storefronts are on hold until next year. For now, the only legal way to purchase cannabis is through the Ontario Cannabis Store‘s online portal. The task of delivering cannabis products to customers falls to the Canada Post.

But Canada Post’s own online package tracking system has a massive privacy vulnerability that can be easily manipulated to expose any customer’s data, not just OCS customers. However, the Nov. 1 breach seems to have only affected the data of about 4,500 OCS customers, according to the Toronto Sun. Speaking with the press about the breach, Patrick Ford, president and CEO of the Ontario Cannabis Retail Corporation, stressed the seriousness of the privacy breach. “The OCS is extremely concerned about the compromising of OCS customer data accessed through the Canada Post online tracking tool,” Ford said. “We cannot stress enough the seriousness of this matter and the grave concern that this has created for the OCS and its customers.”

Who Accessed Cannabis Customer Data and What Did They Do With It?

The Canada Post says that its internal investigation revealed that one individual was able to access the data of 4,500 OCS customers. Apparently, the individual used OCS reference numbers that track cannabis purchases as well as Canada Post tracking numbers. The manipulation of both data points allowed the individual to access delivery information from about 4,500 cannabis customer orders.

On November 7, Canada Post sent an email to all of the affected OCS customers. The email assured recipients that the individual who accessed their private data only shared it with Canada Post. According to Canada Post officials, the breach exposed limited delivery data. The personal financial information of OCS customers was not accessed during the breach.

Still, the data breach, even if largely inconsequential, is a major concern for cannabis customers’ privacy. Despite legalization, taboo still surrounds cannabis use. People can still face sanctions or consequences in their workplace for using cannabis, even legally. Indeed, privacy breaches such as this create a range of risks for customers and Canada Post workers alike.

For their part, the OCS is demanding Canada Post overhaul its system to address the major security flaw. And until they do, OCS has pulled all order reference numbers from the tracking data it submits to Canada Post. Both the OCS and Canada Post have informed the Ontario Privacy Commission about the breach. And all three parties are working together to address the issue and protect customer data going forward.