Data for thousands of marijuana users leaked online

It’s legal, we’re not judging. Marijuana is now legal for medical use in 33 states, and 11 of those allow recreational use of the drug for adults over the age of 21. It’s 2020 after all.

Of course, a new marketable product means a new stream of income, which unfortunately, means a new avenue for cyber attackers–a nemesis that old fashioned pot dealers never had to trifle with. These new “pot dealers” or marijuana dispensaries, fall within the typical retail category and most have POS (point-of-sale) systems they use to perform and manage the sale itself.

It’s the POS system used in these dispensaries that has been compromised, for 30,000 people.

The vulnerability was discovered by a VPNMEntor research team, which said “that an unsecured Amazon S3 bucket uncovered online without any authentication or security in place was the source of the leak.”

This is the same vulnerability mentioned in our previous blog as used to exploit data from Capital One and cause the largest US financial sector data breach.

To elaborate further, an Amazon S3 bucket is an object storage offering through Amazon Web Services (AWS) public cloud storage. Similar to file folders, these buckets store data and corresponding metadata. Not something that should be left open for public access.

Designed to make record-keeping easier, this “seed to sale” software (POS management system) and its unsecured database owned by THSuite, are used across the United States by numerous marijuana dispensaries.

What was leaked?

According to the research team at VPNMentor, “personally identifiable information (PII) belonging to 30,000 individuals was leaked. In total, over 85,000 files were exposed to anyone who stumbled across the database.”

Patient and staff information included; birthdays, email addresses, phone numbers, physical addresses, medical ID numbers, cannabis used, price and quantity purchased. There were also “scanned government and employee IDs” stored in the compromised database.

Dispensaries known to have been impacted are; Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company, although more are suspected to have leaked information.

This is technically a medical data breach, so “it may be that there could be consequences under the US Health Insurance Portability and Accountability Act (HIPAA) of 1996.” Meaning this could end in multi-million-dollar fines or jail time if HIPPA is deemed to have been violated.

If you need assistance setting up your cloud configurations to create a more secure environment contact DarkHound SecOps at [email protected].

–Emmy Seigler

Sources:
https://www.zdnet.com/article/data-leak-strikes-us-cannabis-users-sensitive-information-exposed/?ftag=TRE-03-10aaa6b&bhid=28837826891618282212917048574090

https://www.businessinsider.com/legal-marijuana-states-2018-1

https://searchaws.techtarget.com/definition/AWS-bucket

Image Source: https://www.canva.com/design/DADyI1uCcLs/HpHzq1R7F9w1BtYe0ywB5Q/edit?category=tACFajEYUAM