Canada Post is having delivery problems — and for once, it’s not your mail.

New applications for the Crown corporation’s MyMoney consumer loan program, launched nationally in late September, have been put “on pause” after security monitoring detected an apparent attack.

“It is disappointing that bad actors tried to take advantage of a new product meant to help Canadians, but we are pleased that our security monitoring worked quickly and hope to reopen applications as soon as we feel it is appropriate,” said Amy Thompson, a spokesperson for TD Bank, which has been running the MyMoney program.

Existing MyMoney customers can still access their money, Thompson said.

The MyMoney program, which offers consumers loans of between $1,000 and $30,000, was launched as a pilot project in Nova Scotia last year, but went national in September.

Thompson stressed that no TD customer information was compromised by the apparent attack, but said the bank put applications on hold out of an abundance of caution.

“Our processing was impacted when our security protocols identified early warning signs of irregular activities. And while no TD customer information was compromised, we did elect to pause the program to investigate,” Thompson said.

Thompson declined to say how many applications were in process when the program was paused, or how many existing customers the program has.

Canada Post declined to comment, and referred questions to TD.

One of Canada’s foremost computer security experts said TD’s explanation of the attack suggests people were trying to “fudge” the application process.

“There are systems available that let you screen for people who are filling in forms in a suspicious way. To me, it sounds like that’s what TD is running, in terms of security protocols and the early warning signs they’re talking about. And it looks like their protocols worked,” said David Skillicorn, a professor in the School of Computing at Queen’s University.

Skillicorn explained that many organizations with online forms use a type of security software that sits between the web browser, and the server which collects the information.

“It looks at the mouse movements, and the amounts that people enter into the boxes. Because it’s known that people who are trying to scam those sorts of interfaces fill the boxes in, in a non-standard order, and go back and change the numbers to make them sort of come out right,” said Skillicorn, who isn’t surprised that MyMoney came under attack. A loan program would be a tempting target.

“All criminals try to monetize. … So these types of things are always going to be a target,” said Skillicorn.

The MyMoney program is Canada Post’s latest offering as it struggles to deal with declining volumes of traditional mail. In the third quarter, the crown corporation had a net loss of $101 million. Its Canada Post postal operations lost $170 million in the quarter, while its Purolator courier division had a net profit of $64 million.

The apparent attack is “suboptimal” for a lending program still trying to make a name for itself, said Kenneth Wong, a marketing professor at Queen’s University’s Smith School of Business.

“Canadians have a deep, deep concern about their privacy, and that’s especially the case with financial services and health-care information,” said Wong.

Still, Wong added, it’s not necessarily a giant black eye for TD, or for Canada Post. “As long as they can say that they paused it as soon as they noticed a problem, that’s OK. If they kept going after they found out, that would be a problem.”

“There are systems available that let you screen for people who are filling in forms in a suspicious way …And it looks like their protocols worked.

DAVID SKILLICORN QUEEN’S UNIVERSITY SCHOOL OF COMPUTING