Via Rail is contacting customers who may be getting spam messages linked to the email account they have used when corresponding with the company.
Via said it began investigating following a report from a customer on Aug. 11 that he had been receiving spam emails.
The railway said its investigation determined that a subcontractor of one of its suppliers, which conducts surveys on Via's behalf, inadvertently made some customer lists available on the internet while performing a series of tests in July.
It said the lists contained general information, such as customers' names, postal codes, email addresses and travel details for the period of Jan. 2, 2017 to March 19, 2017.
Via said it does not keep any financial information in its databases, so that data was not disclosed.
These lists have been removed from the server and Via said it has suspended its business relationship with the supplier. Via has also advised the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat of the breach.
"We are sending you this letter to apologize for any inconvenience that this incident may have caused you and to reassure you that appropriate corrective action was taken without delay," Via said Monday in an email to customers.
"We would also like to suggest that you remain vigilant and refrain from giving out your personal or financial information when you receive advertisements or unsolicited email that refer to your recent communications with Via Rail or your Via Preference account."