Personal data for 11,771 marijuana dispensary applicants was leaked from an online medical marijuana dispensary application portal in Nevada. According to the Nevada Department of Health and Human Services, the leak was caused by a bug in the website's portal. For now, the online portal is down as crews work to ensure the website is secure against further security breaches. The portal is one of several other databases run by the Nevada state government.
The leak exposes unredacted PDF's of personal applications that include the person’s full name, phone number, home address, citizenship, ethnicity, date of birth, weight, height, race, and eye and hair color. What's more troubling is that a number of driver's license numbers and complete social security numbers were exposed. Each person that wishes to apply for a dispensary license must fill out the eight-page application. According to CSO, "The flaw enables anyone with access to a legitimate application, or knowledge of an application’s URL, to view thousands of completed forms by simply altering the ID number".
The vulnerability was discovered by security researcher Justin Shafer. Officials have taken down the website until security measures have been taken. Nevada state residents confirmed that the leaked information was accurate. It's the second time Shafer has uncovered a personal data leak in the State of Nevada Medical Marijuana Program. <blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr"><a href="https://twitter.com/USAO_NV">@USAO_NV</a> <a href="https://twitter.com/FBI">@FBI</a> <a href="https://twitter.com/HHSGov">@HHSGov</a> <a href="https://twitter.com/POTUS">@POTUS</a> <a href="https://twitter.com/HHSOCR">@HHSOCR</a> <a href="https://twitter.com/JeffDrummond">@JeffDrummond</a> Maybe the <a href="https://twitter.com/FTC">@FTC</a> will fine the state of nevada. <br><br>Nod. "like labmd"</p>— Justin Shafer (@JShafer817) <a href="https://twitter.com/JShafer817/status/814014067862081536">December 28, 2016</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
On December 8, the Nevada Division of Public and Behavioral Health (DPBH) brought the system back online after a security issue was detected. Joe Pollock is deputy administrator of the DPHB.. The agency did “not have any evidence at this time that indicates the data in the Portal has been compromised,” Pollock told the Las Vegas Review-Journal on Dec. 21
Nevada legalized recreational marijuana on November 8, 2016. Nevada voters legalized medical marijuana for severe conditions such as HIV/AIDS and cancer back in 2000. According to NORML, Nevada is home to 20,773 registered patients. The exposed web portal was down as of midday on December 28. A spokesperson for the Nevada Dept. Health and Human Services told ZDNet that the applicants will be updated within a few days.
