Shortly after the Ontario Cannabis Store (OCS) launched online sales following the legalization of recreational cannabis in Canada on October 17, 2018, a data breach was disclosed affecting approximately 4,500 customers — roughly 2 percent of total orders placed during the early weeks of operation.

The breach occurred through Canada Post’s online package delivery tracking portal. An unauthorized individual gained access to the tracking system and was able to view shipment records associated with OCS orders. Canada Post notified the OCS on November 1, 2018, and OCS notified affected customers by email shortly after.

The information exposed was limited to delivery metadata: postal codes, names or initials of the individuals who signed for delivery, dates of delivery, OCS order reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses. No financial data, payment card information, government identification, or detailed personal profiles were exposed.

Canada Post stated it was confident the person who accessed the information shared it only with Canada Post itself and deleted it without further use. Both organizations implemented fixes to prevent further unauthorized access to the tracking portal.

The incident drew heightened public attention due to the politically sensitive nature of cannabis purchasing records at a time when legalization was brand new and many customers were concerned about privacy. The OCS directly emailed affected customers and clarified that those who did not receive a notification were not impacted.

The breach illustrated a common pattern in supply chain risk: a government-run retailer with strong security intentions can still be exposed through a third-party logistics and postal vendor’s own system weaknesses, particularly during a rapid operational launch when security reviews may be incomplete.