A sales management system specifically geared towards the cannabis industry has exposed the personal information of over 30,000 people by storing it in an unsecured database. The leak itself has been patched, but questions about the consequences of outing who uses a quasi-legal substance hang over the increasingly mainstream industry.
THSuite, which makes software for selling cannabis, stashed extensive customer information collected by at least three U.S. dispensaries in plain sight, according to the cybersecurity firm vpnMentor, which warned that many more dispensaries may have been affected. Among the exposed details were full names, dates of birth, phone numbers, emails, addresses, signatures, cannabis varieties and quantities purchased, the amount of money each customer spent, and transaction dates. Medical marijuana dispensaries also exposed patient names and medical ID numbers.
Researchers at vpnMentor discovered the leak on Christmas Eve and reported the unsecured Amazon Web Services server to THSuite in the following days. The companies sealed the information off on January 14, according to the computer scientists. They described the exposure in blunt terms in a press release: “We were able to access THSuite's S3 bucket [the database] because it was completely unsecured and unencrypted. We could access all files hosted on the database.” THSuite did not respond to a request for comment for this story.
The researchers did not find any evidence that malicious actors accessed the data, but the leak and others like it pose a new set of consequences in an industry still in the early days of regulation, experts told The Daily Beast. The saga could serve to spook customers as the cannabis industry plays catch-up on long-established security norms at other businesses.
“It wasn’t long ago that the typical cannabis entrepreneur was a plant loving mom and pop shop with a grow house no bigger than an apartment,” said Jonathan Caulkins, a professor of operations and public policy at Carnegie Mellon University who researches cannabis markets. “There’s something of a Wild West mentality. [The leak] doesn’t surprise me, although the idea that someone wouldn’t even try to protect the data is astonishing.”
Do you know about a cannabis company that’s failing to protect its customers’ data, or anything else about the weed industry we should? Contact this reporter at firstname.lastname@example.org, or at 650.731.5423 from a device not owned by your employer.
The report detailing the breach hinted at potential consequences for lax security under the Health Insurance Portability and Accountability Act (HIPAA), which protects medical treatment information with stiff penalties. But even if a leak could easily serve to embarrass a company like THSUite, it’s not clear whether it would be liable for alleged security failures under current law, according to Rob Mikos, a Vanderbilt University law professor who researches federal drug policy.
“We don’t have a definitive answer on cannabis and HIPAA,” Mikos said. “It’s a weird world we live in where the federal government tolerates these companies, but it’s hard to figure out what federal statutes do apply to them.”
Another snag: physicians don’t actually issue prescriptions for medical weed. In cases where recreational weed is not legal, states tend to have their own system for what amounts to a recommendation for a diagnosed condition like chemotherapy-induced nausea, Mikos noted. Unlike prescriptions, these recommendations are not federally regulated, but the diagnosis could be considered confidential medical information under HIPAA anyway.
That’s not an airtight case, however.
“Would the federal government consider the affected businesses healthcare providers? I suspect the company could make a credible argument that marijuana isn’t medicine under federal law,” he said.
States may have their own healthcare laws that offer more wide-ranging protections than HIPAA, Mikos said. But the fact that dispensaries have possession of customer data at all raises the stakes.
“States do require medical dispensaries to collect information on medical marijuana patients, but they’ve often taken the opposite approach with recreational dispensaries and barred those businesses from collecting any customer data beyond age,” he said. “If this leak has revealed that companies are tracking customers, maybe for marketing purposes, that may expose them to liability.”
Could someone lose their job if they were found in a database of cannabis customers? Cannabis is fully illegal in four states—Idaho, Kansas, South Dakota, and Nebraska—and many companies and agencies, including the federal government, require employees to be drug-free. But Mikos suggested that fear, at least, was likely unfounded because the provenance of the information amounts to dubious grounds for termination.
“You’d be in trouble if you were an employer and you resorted to a leaked database to fire an employee. Likewise with the federal government,” he said.
THSuite has some company in the newfangled club of marijuana data breaches. Last year, the Canadian cannabis company Natural Health Services informed customers that a breach of its electronic records had exposed the diagnostic results and contact information of 34,000 medical marijuana customers.
“Many of these businesses are not very careful and not very sophisticated. I wouldn’t expect the same level of IT support there as at a CVS or a Walgreens,” explained Caulkins.
Since many consumers are still skittish about purchasing legal marijuana, under medical auspices or otherwise, some entrepreneurs see data security as a trust issue that affects the brand of the industry as a whole. The more exposures like this one, the more potential to drive away business.
“If official databases can’t be trusted, medical consumers will become more skeptical of product on the shelves,” said Joshua Decatur, CEO of the hemp supply chain tracking company Trace. “This can drive them back into underground markets.”