A software company has accidentally exposed the details of approximately 30,000 legal weed customers. THSuite, an entity that specializes in developing software for marijuana dispensaries, ended up revealing the details of tens of thousands of American cannabis buyers. The data belonged to dispensaries, located in Maryland, Ohio, and Colorado.
Even though some states are considered weed-friendly, they still have strict record-keeping laws that require cannabis dispensaries to collect personal information of legal cannabis users at point of sale, and this is precisely the data that was readily available for download. It consisted of scans of ID cards revealing dates of birth, ID numbers, and current addresses. The sensitive information has been sitting readily available for download for everyone willing to look for it online. The Register reported that it was left accessible to the open internet, and it was reachable by the Shodan.io search engine. The data was stored on an Amazon Web Services S3 storage bucket and was unencrypted. The information seen in the bucket not only included ID scans but also purchase history, emails, and phone numbers.
As for last week, the bucket is no longer available for download. It is currently unknown if criminals have used the leaked information. The information was discovered by cybersecurity researchers on December 24th last year, and two days later was reported to THSuite who secured the file. The researchers who came across the leak confirmed that there might have been records on every dispensary that use THSuite, which means that the 85,000 document leak may include the details of dispensaries operating in California too.
The leak is a reminder about the privacy nightmare legal weed may cause. The US is not the only one in North America struggling with maintaining legal cannabis users’ privacy. Back in 2018, Canada’s Post Office accidentally exposed the personal data of potential legal weed users too. The data, however, was not as sensitive as it only contained names of the person who signed the delivery, the date of receipt, as well as their zip code. Last year the Canada-based Natural Health Services also informed its userbase that a breach might have exposed the diagnostic results and contact information of more than 30,000 cannabis users.
THSuite might be in deep water as, under the HIPPA regulations, it is considered a federal crime to any health service provider to expose protected health information that could be used to identify the treated person. Even though that THSuite is not a healthcare provider but a software company, they still will surely have some explaining to do – the exposure of such sensitive information may lead to jail time and hefty fines of up to $50,000 per exposed record.
Even if the leak resurfaces online again, it will be illegal for employers requiring drug-free environment to terminate employment based solely on this database. However, such leaks can undoubtedly put a stain on the legal cannabis business as marijuana enthusiasts may start feeling hesitant to obtain marijuana legally. This is just another reminder about the importance of keeping privacy safe and the need for stronger regulation on how private data is handled on both state and federal levels.