Is there a business case for retail cannabis in Oakville?

Is there a business case for retail cannabis in Oakville?
4,500 Ontario cannabis customers have personal data stolen
Canada Post acknowledged Wednesday that thousands of Ontario customers buying cannabis had their information breached.

The national mail service has not notified the buyers behind 4,500 orders who had their data compromised. The breach became public after the Ontario Cannabis Store issued a statement on Wednesday and e-mailed affected customers the same day.

"Both organizations have been working closely together since that time to investigate and take immediate action," Canada Post said in a statement. "As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information."

Ontarios only legal outlet for recreational cannabis said it was notified last Thursday by Canada Post that someone had gained access to information such as postal codes and the names or initials of the adult who signed for the delivery of the marijuana. Other data such as the name of the person who made the order – unless the same person signed for delivery – the full delivery address or payment information were not affected, the OCS statement said.

"I wouldn't say I am worried (about this breach) but I am concerned any time my personal information is hacked," said one customer, who received the email from the cannabis store. "I would prefer you not use my name only because I might like to continue to be admissible to U.S.A."

The cannabis agency said it immediately referred the issue to the provincial Privacy Commissioner and encouraged Canada Post to take quick action to notify its customers.

To date, Canada Post has not taken action in this regard, the store said. Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers.

"To date, Canada Post has not taken action in this regard," the store said in its statement. "Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers."

The home page for the Ontario Cannabis Store is shown in this photo illustration on Oct. 17, 2018. Canada Post publicly admitted on Nov. 7, 2018, to a privacy breach involving thousands of Ontarios online cannabis customers after the provinces only outlet for legal recreational marijuana notified clients of the problem.

While marijuana ordered through the Ontario Cannabis Store is legal, privacy concerns are especially acute given the hard line taken by American authorities, who have made it clear that Canadians who admit to using pot could be refused entry to the U.S. or deemed inadmissible for life.

Video: Ontario Cannabis Store data breach affects thousands

Canada Post said in a statement on Wednesday that it told the OCS it could not notify the customers affected by the breach because it did not have their contact information. The OCS said the orders accessed represented about 2 per cent of all licensed transactions completed in the province since the drug was legalized three weeks ago.

Canada Post said five companies had their names exposed in the breach, but would not clarify whether those five companies were customers of the cannabis store or were doing other business with the federal Crown corporation. Shopify, which handles the e-commerce platform for Ontario and other provincial cannabis outlets, said it was not involved in the incident.

TORONTO — Canada Post publicly admitted to a privacy breach involving thousands of Ontario's online cannabis customers on Wednesday after the province's only outlet for legal recreational marijuana notified clients of the problem.

Canada Post said it learned of the breach after an OCS customer contacted the postal service saying he had been able to access the information of other peoples orders and urged Canada Post to review the situation.

No other order details were included, such as the name of the person who made the order — unless it was the same as the individual who signed for delivery — or the actual delivery address or payment information, the statement said.

The Crown corporation said it was confident the individual who accessed the information only shared it with the company and deleted it without distributing further. But Canada Post could not explain how they verified that only one person had accessed the data.

The postal service said in a statement that someone had used its delivery tracking tool to gain access to personal information of 4,500 customers of the Ontario Cannabis Store but declined to identify the information.

A spokesman for Canada Post would not say when the individual let the postal service know he had accessed the information. In a statement, Canada Post said it had been working with the OCS since last Thursday and has now fixed the problem.

"I'm certainly pleased that OCS took the step of notifying people of the breach and making it public," Beamish said in an interview. "That level of transparency is good."

Both organizations have been working closely together since that time to investigate and take immediate action, Canada Post said in a statement. As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information.

According to the store, the breach occurred when an individual used the Canada Post tracking tool to access delivery data, and also potentially affected customers of other Canada Post clients.

Ontarios Privacy Commissioner, Brian Beamish, called the breach unfortunate but said it appeared the risk to customer data was limited. Mr. Beamish praised the cannabis store for notifying people about the breach and going public.

Given the vulnerability occurred through Canada Post, Mr. Beamish said any further privacy action rested with the federal Privacy Commissioner. A spokesperson said the federal commissioners office had been in contact with its provincial counterpart.

According to the online store, the compromised information included postal codes and the names or initials of the person who accepted delivery of the marijuana.

“We are also engaging with Canada Post to better understand what occurred and what is being done to mitigate the situation,” spokeswoman Tobi Cohen said.

In answer to an opposition question on Wednesday, Prime Minister Justin Trudeau told the House of Commons the breach was fixed and would not be repeated.

Ronak Shah, a Toronto-based lawyer who specializes in privacy law, said this incident underscores how two organizations interpret their different obligations to customers under the separate provincial and federal privacy laws. In this instance, he said, it appears Canada Post took the position that it was a vendor to the OCS and, thus, the responsibility to notify the affected customers lay with the provincial outlet.

In response, a spokesman for Canada Post said it had explained to the cannabis store that it did not have contact information for the pot buyers.

If you would like to write a letter to the editor, please forward it to [email protected] Readers can also interact with The Globe on Facebook and Twitter .

If you would like to write a letter to the editor, please forward it to [email protected] Readers can also interact with The Globe on Facebook and Twitter .

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

The Ontario Cannabis Store says a data breach through Canada Post has affected information from 4,500 customers.

In a privacy update on its website, the OCS said the breach late on Nov. 1 affected about two per cent of its customer orders, and information was accessed by a person using a Canada Post delivery tracking tool.

The OCS said it has informed Ontario's privacy commissioner of the breach and all affected customers.

"Since Nov. 1, the OCS has worked closely with Canada Post to identify the cause of this issue and to prevent any further unauthorized access to customer delivery information," the OCS said.

Names of the people who made the orders were not obtained, if they were not the same as the people who signed for delivery, according to the OCS. 

If customers who have placed orders with the OCS did not receive an email notifying them of the breach, then their order delivery information was not obtained, it said.

In a letter to affected customers that was obtained by CBC Toronto, Patrick Ford, the OCS's president and CEO, said privacy has been a concern of the store since it set up its website.

"The OCS takes privacy and security very seriously. Protecting customer information has been the number one priority since the development of OCS.ca," he writes.

In a statement on Wednesday, Canada Post admitted to the breach involving someone using its delivery tracking tool, but it did not say what kind of personal information was obtained.

"Both organizations have been working closely together since that time to investigate and take immediate action," Canada Post said. 

"As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information."

Canada Post said it informed the store on Nov. 1 about the breach, and it has notified the federal and Ontario privacy commissioners.

As well, Canada Post said it was confident the individual who accessed the information only shared it with Canada Post and deleted it without distributing further.

Ontario's privacy commissioner, Brian Beamish, called the breach "unfortunate" but said it appeared the risk to customer data was limited.

"I'm certainly pleased that OCS took the step of notifying people of the breach and making it public," Beamish said in an interview. "That level of transparency is good."

It is a priority for CBC to create a website that is accessible to all Canadians including people with visual, hearing, motor and cognitive challenges.