Student's killer on parole
Charges after investigation
Hostage was on captor 
Regulating power prices
Gen X is raking it in
LeBlanc laying groundwork
US vetoes UN resolution
$100M Nassar settlement
12 Trump jurors picked
Rates slow green economy
Vicinity hires president,
Record housing starts
Warriors ready for Round 2
Kalamalka Bowl cancelled
Rockets live to fight on
Rihanna's parenting ‘hack’
Tarantino scraps film
Munn talks cancer battle
Canada Post publicly admitted to a privacy breach involving thousands of Ontario's online cannabis customers on Wednesday after the province's only outlet for legal recreational marijuana notified clients of the problem.
The postal service said in a statement that someone had used its delivery tracking tool to gain access to personal information of 4,500 customers of the Ontario Cannabis Store but declined to identify the information.
"Both organizations have been working closely together since that time to investigate and take immediate action," Canada Post said in a statement. "As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information."
Canada Post notified the online cannabis store on Nov. 1 about the breach, both organizations said.
In a statement on Wednesday, the Ontario Cannabis Store said it referred the matter to the province's privacy commissioner. The statement also said the store had "encouraged" Canada Post to take immediate action to notify its customers.
"To date, Canada Post has not taken action in this regard," the store said in its statement. "Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers."
In response, a spokesman for Canada Post said it had explained to the cannabis store that it did not have contact information for the pot buyers.
According to the online store, the compromised information included postal codes and the names or initials of the person who accepted delivery of the marijuana.
No other order details were included, such as the name of the person who made the order — unless it was the same as the individual who signed for delivery — or the actual delivery address or payment information, the statement said.
OCS said customers who did not receive an email notification were not part of the breach.
Ontario's privacy commissioner, Brian Beamish, called the breach "unfortunate" but said it appeared the risk to customer data was limited.
"I'm certainly pleased that OCS took the step of notifying people of the breach and making it public," Beamish said in an interview. "That level of transparency is good."
Given that the vulnerability occurred through Canada Post, Beamish said any further privacy action rested with the federal commissioner, who did not immediately comment.
Canada Post said it was confident the individual who accessed the information only shared it with Canada Post and deleted it without distributing further.
