Data Breach Exposes Personal Details of Over 30,000 U.S. Cannabis Users

Tens of thousands of customers from multiple U.S. marijuana dispensaries have been impacted in a data breach linked to a software company, researchers say.

Photo IDs, phone numbers and home addresses were among records found in a trove of data left online without password protection late last year, according to experts from vpnMentor. The team said the exposed file was stuffed with the details of at least 30,000 people.

The breach was traced back to point-of-sale software company THSuite, researchers Noam Rotem and Ran Locar said in a blog post this week.

At least three dispensaries across the U.S., seemingly customers of THSuite, were impacted by the Amazon S3 bucket leak, named as Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company.

Researchers claimed that "it's possible" all THSuite of clients had been involved in the breach.

The leaky cloud database was first discovered on December 24 last year, and finally closed on January 14 after being disclosed to the software company. In total, it had allegedly included more than 85,000 files.

"We were able to access [the] bucket because it was completely unsecured and unencrypted. Using a browser, the team could access all files hosted on the database," vpnMentor said.

"Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws. THSuite... is designed to simplify this process for dispensary operators by integrating with each state's API traceability system. As a consequence, the platform has access to a lot of private data related to dispensaries and their customers."

Amedicanna Dispensary and Bloom Medicinals provide patients with medical marijuana, while the Colorado Grow Company is focused on the sale of the drug for legal recreational use.

Examples of leaked personal information from THSuite clients included full names, phone numbers, dates of births, medical ID numbers, signatures, gram limits and sales figures.

medical marijuana
A budtender displays cannabis at the Higher Path medical marijuana dispensary in the San Fernando Valley area of Los Angeles, California, December 27, 2017. ROBYN BECK/AFP/Getty

Researchers said the exposed information could have privacy implications for users, and said any concerned patients should speak directly with the marijuana providers.

"[THSuite] never replied to us following the disclosure, the bucket was secured following our reach-out to Amazon. Users should reach out to their dispensaries and find out from them if they are customers of THSuite," a spokesperson for vpnMentor told Newsweek.

It remains unclear if the data was accessed by anyone else during the time it was online. "This raises serious privacy concerns," the vpnMentor blog said. "Medical patients have a legal right to keep their medical information private." THSuite has been contacted for comment.

"The leaked bucket contained so much data that it wasn't possible for us to examine all the records individually," the cyber investigators noted. "Instead, we looked through a handful of random entries to understand what types of data were exposed in the breach overall.

"In the sample of entries we checked, we found information related to three marijuana dispensaries in... the US. However, this breach affected many more dispensaries."

THSuite says it follows "generally accepted industry standards" to protect users' personal identifiable information but concedes that it "cannot guarantee its absolute security."

"Matters of privacy and protection of our patient records are of utmost importance at Harvest. Our cybersecurity team is actively investigating the situation, which will allow us to take appropriate steps," a spokesperson for the Amedicanna Dispensary parent firm told Newsweek.

In addition, Bloom Medicinals said it was aware of the data breach and confirmed that it could have potentially impacted some of its patient data.

It said: "We are currently conducting a thorough investigation and working closely with THSuite to accurately identify which, if any, of Bloom Medicinals patients have been affected.

"Once we have identified any affected patients, we will notify each individual and follow HIPAA breach notification protocols. Bloom Medicinals serves tens of thousands of patients in multiple states and we take patient privacy very seriously. Rest assured we will implement any corrective action necessary to both remedy, and ensure, this does not happen again."