The marijuana business has been quite lucrative for decades, so it’s expected that gangs would try to take advantage of Canada’s new legal cannabis sales regime in any way they can — on or off-line.
So the revelation Wednesday that a person had accessed some personal information on Canada Post’s website of 4.500 online orders by people and companies made through the provincially-owned Ontario Cannabis Store (OCS) made headlines.
However, the incident may not have been the act of a criminal but more of an imaginative customer and whistleblower.
In a statement to ITWorldCanada.com, Canada Post said “the OCS customer notified us privately that they had accessed the information by utilizing his OCS reference number and felt it should be reviewed. We then notified OCS. We have been assured by the OCS customer that personal information has not been disclosed and has been permanently deleted.”
Canada Post said “limited delivery information” had been accessed. According to the OCS what was accessed was the buyer’s name or initials, postal code, date of cannabis delivery, the Canada Post tracking number and OCS’ corporate name and address.
“Both organizations have been working closely together since that time to investigate and take immediate action,” the post office statement said. “As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information. We have also shared with OCS that we are confident that the customer who accessed the information only shared it with Canada Post and deleted it without distributing further.”
The Ontario Cannabis Store is the only legal retailer of recreational cannabis in the province. The Toronto Sun quoted a letter from CEO Patrick Ford to the head of Canada Post which said “through our internal investigation, we have learned that this Canada Post website vulnerability is not unique to OCS customers and that in fact could apply to any Canada Post customers through manipulation of tracking and/or reference numbers.”
The Sun said OCS has demanded Canada Post get written assurances from the individual who accessed the information that it has not been shared and that it will be deleted.
In an email interview Terry Cutler, a certified ethical hacker and vice-president of cyber at Sirco Group, a Montreal-based security consultancy, said the incident is similar to a vulnerability he heard about in an unnamed Canadian municipal soccer registration service. Data could be altered just by changing a few clear text numbers, he said.
This breach sounds like an application design flaw, he said. “That’s why routing penetration tests are essential. It should be conducted routinely on any network or server based entity that is deployed in a production environment, particularly any Internet-facing site at least twice a year. This provides a level of practical assurance that any malicious user will not be able to penetrate the system. It’s also useful in the cases where the tester assumes the role of an outside hacker and tries to intrude into the system without any privileged knowledge of its architecture or similar information.”
A test would also focus on the web server and services that it offers by using methodology developed by the Open Web Application Security Project (OWASP, www.owasp.org), he said.
Dave Masson, country manager for security vendor Darktrace, also said the incident appears to be an application design flaw. He suspects the package tracking system was coded without privacy and security being part of the development process from the beginning.
Justin Jett, director of audit and compliance for security vendor Plixer, noted that security reporter Brian Krebs reported a similar incident earlier this year involving a leak from a bakery’s delivery site that revealed swaths of data from customers who had placed online orders. “The incident with Canada Post is another example of why using sequential numbers for account IDs and using internal data about your customers on publicly-facing sites is problematic,” Jett said. “Organizations should be sure to focus on security first when building out these applications and should use randomization to produce the IDs associated with orders. Sequential IDs makes it incredibly easy for a malicious actor to iterate through every ID until they find what they are looking for or have downloaded the entire database of information.”
Don Duncan, a security engineer at Vancouver-based NuData Security, said that based on the description there could have been the potential for a brute force or velocity attack. It would be fairly straightforward to write a script to automate a process to access this information through the tracking numbers, he said. Using behavioral biometrics to identify this automation in real-time plus a form of multi-factor authentication would stop those kinds of attacks, he said.
There are also questions over victim notification. Canada Post said it notified OCS on Nov. 1 about the breach. OCS said it encouraged Canada Post to notify their customers. “To date, Canada Post has not taken action in this regard,” said OCS, so it notified the 4,500 people or companies. According to the Canadian Press, Canada Post said in a statement it told OCS it couldn’t notify the customers affected by the breach because it didn’t have their contact information.
Under the federal Personal Information Privacy and Electronics Act (PIPEDA), starting Nov. 1 commercial organizations who suffered a data breach where victims could suffer a real risk of serious harm have to notify the federal privacy commissioner. Canada Post has notified both the federal and provincial privacy commissioners.