Data leak strikes US cannabis users, sensitive information exposed

A database backing point-of-sale systems used in medical and recreational marijuana dispensaries has been compromised.
Written by Charlie Osborne, Contributing Writer

Another day, another leaky database -- and this one has impacted 30,000 people connected to the medical and recreational marijuana industry. 

On Wednesday, the research team from VPNMentor, led by Noam Rotem and Ran Locar, said that an unsecured Amazon S3 bucket uncovered online without any authentication or security in place was the source of the leak.  

The database, found on December 24, 2019 as part of the firm's web scanning project, is reportedly owned by THSuite, described as "seed to sale" software -- a Point-Of-Sale (POS) and management system used in dispensaries across the United States. 

Medical marijuana is now permissible by law in some US states. However, dispensaries are held to strict legal standards to prevent abuse or the flouting of state law, and as a result, automatic systems like THSuite can make compliance and record-keeping easier for operators. 

However, you need security both at the front and back ends, and in this case, the database backing POS systems appears to have fallen short. 

According to VPNMentor, personally identifiable information (PII) belonging to 30,000 individuals was leaked. In total, over 85,000 files were exposed to anyone who stumbled across the database. 

The full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts were all available to view.  

See also: Antivirus vendors push fixes for EFS ransomware attack method

In addition, "scanned government and employee IDs" were recorded in the leaky bucket, stored through the Amazon Simple Storage Service. 

Rather than examine every record -- which would skirt the lines of ethical behavior -- the researchers grabbed some random samples related to dispensaries in Maryland, Ohio, and Colorado to ascertain the depth of the leak. 

Among the samples were records from Amedicanna Dispensary, including customer PII and information related to the firm's inventory and sales. Bloom Medicinals included similar PII, alongside cannabis product lists, suppliers, price, monthly sales, discounts, returns, and taxes paid. Colorado Grow Company's exposed information related to monthly sales, discounts, taxes, employee names, and inventory lists. It is likely that more dispensaries have been impacted.

CNET: Clearview app lets strangers find your name, info with snap of a photo, report says

As a medical data breach, it may be that there could be consequences under the US Health Insurance Portability and Accountability Act (HIPAA) of 1996, which demands strict security to be implemented by controllers of protected health information (PHI). Under the law, those who violate HIPAA can face multi-million-dollar fines or jail time.  

"Medical patients have a legal right to keep their medical information private," the researchers say. "Those whose personal information was leaked may face negative consequences both personally and professionally."

TechRepublic: Bug bounties won't make you rich (but you should participate anyway)

Two days after the database was discovered, VPNMentor reached out to THSuite but received no response. This led to the researchers contacting Amazon AWS on January 7, 2020. A week later, access to the database was revoked. 

ZDNet has reached out to THSuite and impacted dispensaries and will update when we hear back. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards