Planet Drugs Direct, a popular Canadian online pharmacy is circulating security incident notifications to its customers, informing them that their sensitive personal data has been leaked. The particular pharmacy is a credible online entity that is a member of CIPA (Canadian International Pharmacy Association), so there’s a large number of people who trust it to prepare their prescriptions and send them home. The incident could have affected about 400000 customers, but as no definitive numbers were provided by the platform, these are merely guesstimates and nothing more at this point.
As the platform writes in the notification, their internal investigation has revealed that someone might have accessed the recipient’s name, address, email, phone number, medical information (prescriptions), and the payment information. Until now, the firm’s IT team has found no evidence of a password breach, so all accounts are considered to be safe from takeover attacks. What they are urging their clients to do is to monitor their bank account and credit card activity closely, and to notify them as well as their bank in the case that any unusual activity pops up. Clients are expected to contact the company at ‘1-888-791-3784’, or send an email at ‘[email protected]’.
Planet Drugs Direct collects various other data about its online customers such as the family medical history, any drug allergies, the name of the primary physician, the occupation and employment status, and more. All of this constitutes highly sensitive personal information that could be very useful in the hands of phishing actors, scammers, and extortionists. As for the credit cards, these have flown with the full numbers, expiry dates, and the name of the cardholder, so at least the CVV codes are missing which could save the day for the exposed clients.
It goes without saying that the online pharmacy has screwed up in this case, so they could at least offer coverage for some form of identity protection services for a year or so, like other firms do in similar cases. The service hasn’t posted anything about the incident on social media, and neither on their website. We understand that they may need to investigate the incident further before they provide any official statements, but they should have been more transparent with the numbers of affected individuals and how exactly hackers managed to overcome the platform's “serious approach to customer privacy and data protection”.