Data Breach Exposes Personal Information on Cannabis Users

• Cannabis customers in the US had their private information affected by a data breach.
• One THSuite server was completely open and contained private information from thousands of people, including IDs.
• The server has since been secured.

Another day, another data breach, as THSuite has apparently suffered a data breach. The breach exposed a wealth of sensitive data from various marijuana dispensaries in the US and their customers.

First things first - the discovery was made by security researchers Noam Rotem and Ran Locar who both helped out vpnMentor's research team in untangling this mess.

The breach was discovered on December 24th, 2019 and THSuite was informed on December 26th. Amazon AWS was contacted on January 7th, 2020, and the database was eventually closed on January 14th.

For those unfamiliar with THSuite, this is a point-of-sale system in the cannabis industry, heavily used across the US states where marijuana and other related products are legal. They offer business process management software services to owners of cannabis dispensaries and operators. More specifically, the THSuite platform is created to simplify the process for dispensary operators by automatically integrating with the API traceability system in each state.

Data Breach Scope

Given the fact that US laws force cannabis dispensaries to collect troves of data on their clients in order to comply with state laws, you can only imagine what the discovery entails - scanned government and employee IDs. Ripe material for identity theft, scams, phishing attacks, and more.

The breach sleuths identified an unsecured Amazon S3 bucket with some 85,000 files, including over 30,000 records with sensitive personally identifiable information. Given the scope of the breach, the team didn't go through the whole thing, but they did manage to identify several marijuana dispensaries - Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company - although more are affected.

Different dispensaries had different data affected, depending on the legal requirements. Amedicanna's customers, for instance, had their names, phone numbers, emails, date of birth, street address, medical and state ID number and expiration date, cannabis gram limit, and signature exposed, as well as info on their employees. Plus, the company's monthly sales, discounts, returns, and taxes were also affected.

Colorado Grow Company had their employee database affected, including the number of hours they worked, as well as an inventory list.

Data Breach Impact

Besides the major privacy impact that this data breach brings, including risks of identity theft, there's also another issue - the HIPPA regulations. According to these rules, it's a federal crime for a health service provider to expose protected health information and could result in fines of up to $50,000 for every exposed record, or jail time.

If you are a customer of a cannabis dispensary, you should check out with them if they are using THSuite in the backend. Make sure to pay more attention to any emails you may receive in order to detect scams.