Tens of thousands of state-legal cannabis customers had their personal information exposed after a data breach occurred at a widely used dispensary point-of-sale system.
According to Newsweek, the leak affected at least some — and potentially all — pot shops that operate using THSuite retail software. Since both medical and adult-use dispensaries typically collect vast amounts of customer details, including addresses, copies of photo ID, phone numbers, and potentially sensitive medical information, the data breach is particularly alarming, and could carry serious consequences for those affected. Tech experts at vpnMentor discovered the leaked customer information during the investigation of a large-scale, password-free data lump dubbed the Amazon S3 bucket leak.
"We were able to access [the] bucket because it was completely unsecured and unencrypted. Using a browser, the team could access all files hosted on the database," vpnMentor researchers said in a blog post exposing the leak. "Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws. THSuite... is designed to simplify this process for dispensary operators by integrating with each state's API traceability system. As a consequence, the platform has access to a lot of private data related to dispensaries and their customers."
As for specific dispensaries hit by the leak, vpnMentor named only three pot shops, medical marijuana stores AmediCanna in Maryland, Bloom Medicinals in Ohio, and Colorado Grow Company. Because the trove of data was so large, though, experts are uncertain as to what portion of those dispensaries’ customer records were compromised, or how many other pot shops were included in the dump.
"The leaked bucket contained so much data that it wasn't possible for us to examine all the records individually," vpnMentor said. "Instead, we looked through a handful of random entries to understand what types of data were exposed in the breach overall. In the sample of entries we checked, we found information related to three marijuana dispensaries in... the US. However, this breach affected many more dispensaries."
Unlike other data hacks which have been discovered through stolen identities and sensitive info sold on the dark web, it is not yet clear if any malicious actors accessed THSuite's leaked data. And while THSuite has yet to release a statement regarding its improper online security, vpnMentor recommends that anyone who shops at the three named dispensaries contact the store and inquire about the status of their personal info.
"[THSuite] never replied to us following the disclosure, the bucket was secured following our reach-out to Amazon,” a spokesperson for vpnMentor told Newsweek. “Users should reach out to their dispensaries and find out from them if they are customers of THSuite.”
Follow Zach Harris on Twitter