Business data exposed on Canada Post website

December 17, 2007


Login records for scores of small businesses that use Canada Post's business shipping website are available online as a result of a Web server glitch, leaving sensitive information such as names, addresses and shipping details vulnerable.

A Vancouver small business owner discovered the security breach last week while conducting a Yahoo search of his company name. The first link generated by Yahoo contained his username and password for Canada Post's Sell Online website. Only the letters "CPC" that are required to come before all usernames were missing.

The man then discovered that by simply changing the date in his Web browser address bar, he could access dozens of websites with other login records that disclosed usernames and attempts to enter passwords on the Sell Online website.

"I was absolutely shocked," said the man who spoke to the Globe and Mail on the condition of anonymity. "This information simply should not be in the public domain. Anyone with my password could have accessed customer shipping details and my Visa card number, which is attached to the website."

François Legault, a spokesman for Canada Post, could not specify the root cause of the security breach, but said the federal agency believes the available "out of date" usernames and passwords pose no threat to its customers. Mr. Legault said the federal agency - which farms out all of its IT services to third parties such as Innovapost and IBM - had addressed the problem.

But a Yahoo search of cached websites Friday revealed more Sell Online usernames and login attempts.

"Obviously, we unfortunately won't be able to find and eliminate all the cached daily files, but over time they will expire and we're confident there's no risk that someone can use this information to steal identities," Mr. Legault said.

But an Internet law specialist said that even though the data made available by Canada Post show failed login attempts - incorrect combinations of usernames and passwords - this kind of information is a potential "gold mine" for those engaged in identity theft and Internet fraud.

"People typically use the same username and the same password across multiple websites," said Michael Geist, a law professor at the University of Ottawa. "If you're a fraudster, you could use the information from the Canada Post records to try to crack into someone else's online banking or e-mail accounts. You'd be surprised the number of times you'd be successful."

Sell Online allows business owners to set up online stores for products, provide shipping quotes, and enable customers to use virtual shopping carts. Many mail-order businesses link their websites with the Sell Online website to automatically calculate shipping costs and determine packaging dimensions.

Karin Bull, owner of Biopaw, a Pickering, Ont.-based mail-order business dealing in natural pet food, recently opened an account with Sell Online. Ms. Bull said she was "devastated" when contacted by the Globe and Mail and presented with her passwords that were gleaned from the Internet.

"These are passwords I use for other online applications like e-mail and banking," Ms. Bull said. "I'm definitely going to think twice about repeated attempts to login anywhere online again."

Scott Smith, president of, a Simcoe, Ont.-based Formula One Racing merchandise retailer, said he couldn't believe his username and password were already online, especially since he had created his shipping profile only last Thursday.

"That's pretty scary," he said. "You really could ruin someone's business by logging in and changing all their shipping numbers."

The Canada Post security breach comes just two weeks after a massive privacy flaw was discovered on the website of another federal agency. In late November, a Huntsville, Ont., man was able to access social insurance numbers, birthdates and driver's licence numbers of those applying for new passports on the Passport Canada website.

"Unfortunately, this kind of thing happens all the time," said Ian Goldberg, an Internet security expert at the University of Waterloo.

In the case of Sell Online, it appears that a folder with client login attempts was inadvertently placed in a public area of the Web server, Prof. Goldberg said.

"This is clearly not malicious," he said. "Canada Post isn't a security company, it's a post office. They just made a mistake."

main page ATTRITION feedback