Cyber Incident Victim: Commport Communications

In December 2020, the Lorenz ransomware group breached Commport Communications, a third-party supplier to Canada Post, and subsequently leaked 35.3 GB of data from the attack on their extortion site. The incident remained undisclosed to affected parties until Canada Post’s public announcement on May 26, 2021, following a forensic investigation. Attackers accessed shipping manifest data stored in Commport’s systems, compromising sender and receiver information for 44 of Canada Post’s large commercial customers. The exposed data spanned shipments processed between July 2016 and March 2019, impacting approximately 950,000 receiving customers. Forensic analysis confirmed that 97% of the breached records contained recipient names and mailing addresses, while the remaining 3% included additional contact details such as email addresses or phone numbers. No financial information was accessed or exfiltrated during the incident.

Canada Post initiated its investigation after Lorenz publicly leaked the stolen data, contradicting Commport’s initial assessment that no data had been accessed during the ransomware attack. The postal operator engaged external cybersecurity experts to assist in determining the scope and validating the integrity of their systems. Canada Post notified all 44 affected commercial customers and reported the breach to the Office of the Privacy Commissioner of Canada. The compromised data did not originate from Canada Post’s own infrastructure but resided exclusively within Commport’s environment, which managed shipping manifests for high-volume business clients. Lorenz’s involvement marked a deliberate targeting of supply chain vulnerabilities to access downstream customer data, though no operational disruptions to Canada Post’s services occurred. The breach highlighted risks associated with third-party data handling practices in critical national infrastructure support networks.