POS Vendor for Cannabis Dispensaries Exposed Data: ReportResearchers Discovered Unsecured Database Accessible Via Internet
A point-of-sale system vendor that serves U.S. medical and recreational cannabis dispensaries left an unprotected database containing sensitive information about three clients and 30,000 of their customers exposed to the internet, researchers say.
See Also: The 5 Foundational DevOps Practices
Security firm vpnMentor says its research team recently discovered that Seattle, Washington-based THSuite left the database exposed.
"Our team identified an unsecured Amazon S3 bucket owned by THSuite that exposed sensitive data from multiple marijuana dispensaries around the U.S. and their customers," the research report states. The leaked data included more than 85,000 files, including scanned government and employee IDs, exposing personally identifiable information for over 30,000 individuals, the report says.
Researchers discovered the unsecured data bucket Dec. 24, 2019, and contacted THSuite on Dec. 26. Amazon AWS was contacted on Jan. 7, and the database was closed on Jan. 14, vpnMentor reports. It's not clear whether the data in the exposed database was inappropriately viewed or used.
Potential Impact of Exposed Data
In its report, vpnMentor notes that exposure of data about individuals who have purchased marijuana for medicinal or recreational use use could have profound implications for the individuals involved.
"Many workplaces have specific policies prohibiting cannabis use," the report notes. "Customers and patients may face consequences at work due to their cannabis use being exposed. Some could even lose their jobs, especially if they work for a federal agency.
"Even without the legal risks, there's still a stigma surrounding marijuana use. Individuals may suffer backlash if their families, friends and colleagues find out that they use cannabis."
Three Clients Impacted
The report dentified three THSuite clients impacted by the breach: AmediCanna Dispensary in Halethorpe, Maryland; Bloom Medicinals in Akron, Ohio; and Colorado Grow Co. in Durango.
In a statement provided to Information Security Media Group, R.J. Starr, head of compliance and regulatory affairs at Bloom Medicinals, said: "We have been made aware that our third-party technology provider, THSuite, experienced a data breach which may have affected some of our patients' data. We are working closely with our technology vendor to identify which, if any, of Bloom Medicinals patients has been affected. Once we have identified any affected patients, we will notify each individual, and follow all state and federal breach notification requirements."
AmediCanna Dispensary tells ISMG: "Matters of privacy and protection of our patient records are of utmost importance. ... Our cybersecurity team is actively investigating the situation, which will allow us to take appropriate steps."
THSuite and Colorado Grow Co. did not respond to ISMG's requests for comment.
Breach Notification Requirements
Privacy attorney David Holtzman of the security consultancy CynergisTek notes: "In the case of a medical marijuana dispensary, if an incident disclosed personal information and the data elements were the type protected by state law, then the applicable breach notification requirements would have to be observed."
But state-licensed dispensaries are unlikely to be subject to the HIPAA rules because they do not engage in the required standard transactions and thus do not qualify as a covered entity, Holtzman adds.
"The individually identifiable health information of the healthcare provider who may have written the state-required authorization supporting access for eligibility to receive medical marijuana is PHI protected by the HIPAA rules," he explains. "Medical cannabis information would be protected health information if it were held in an individual's health records that were maintained by a covered entity or their business associate."
According to vpnMentor, the unprotected THSuite database exposed a range of data about the three dispensaries' customers. For example, the leak exposed details about AmediCanna Dispensary customers, including names, phone numbers, email address, dates of birth, street address, medical/state ID numbers, cannabis gram limit and signature.
Similar information was exposed related to Bloom Medicinals, plus date of first purchase, whether the patient received financial assistance for cannabis purchases and whether the patient opted in for SMS text notifications.
"We were able to view the dispensary's monthly sales, discounts, returns and taxes paid. The sales were further broken down by payment method and product type," THSuite says.
But the unsecured database apparently did not expose information pertaining to Colorado Grow Co. customers, vpnMentor says. The database, however, included the dispensary's monthly sales reports for both cannabis and other products, including gross sales, discounts, taxes, net sales and totals for each payment type. The leak also exposed full names of dispensary employees and the number of hours they worked during each two-week pay period, the report notes.
Each state is approaching regulation of the medical marijuana dispensaries and recreational marketplace differently, Holtzman notes. "My view is that a state's data protection and breach notification laws would be applicable to information that falls under the protection of these requirements. An individual's drivers' license data is protected whether it is collected by the recreational marijuana retailer or the car rental agency."
Avoiding Similar Breaches
The vpnMentor report suggests that THSuite "could have easily avoided this leak if they had taken some basic security measures to protect the Amazon S3 bucket."
These steps include properly securing servers, implementing appropriate access rules and never leaving a system that doesn't require authentication open to the internet.
As part of an ongoing research project, vpnMentor researchers have come across numerous other unsecure databases exposed to the internet.
For example, the researchers said in December that they uncovered an unsecured database belonging to TrueDialog, an Austin, Texas-based business SMS texting solutions provider, which exposed data on millions, including text messages, names, addresses and other information.
Also, the researchers recently discovered an unsecured Amazon Web Services database belonging to PayMyTab, a company that provides U.S. restaurants with mobile payment apps and devices, that left payment card and other customer data exposed.