Two researchers discovered that point-of-sale software THSuite experienced a data breach late last week.
VpnMentor Researchers Noam Rotem and Ran Locar noted that the sensitive information from an estimated 30,000 people was unprotected. This included the exposure of included photo IDs, phone numbers, home addresses, birth dates and signatures, due to an Amazon S3 bucket leak. As of this writing, an estimated three dispensaries were affected by this: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company. Although it has not been verified, Rotem and Locar added that it is possible that more customers were affected by the breach.
The leak was first found on Dec. 24, 2019, and wasn’t closed until Jan. 14, 2020. “We were able to access [the] bucket because it was completely unsecured and unencrypted. Using a browser, the team could access all files hosted on the database,” said vpnMentor. “Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws. THSuite . . . is designed to simplify this process for dispensary operators by integrating with each state’s API traceability system. As a consequence, the platform has access to a lot of private data related to dispensaries and their customers.” Unfortunately there is no information regarding if anyone had accessed the private information prior to the leak being discovered.
The dispensaries that were affected have released statements of their own, ensuring that steps are being taken to protect consumers’ data once more. According to Amedicanna Dispensary is on its way to a better solution. “Matters of privacy and protection of our patient records are of utmost importance at Harvest. Our cybersecurity team is actively investigating the situation, which will allow us to take appropriate steps,” the company’s parent firm told Newsweek in a statement.
Additionally, Bloom Medicinals is working toward a solution as well. “Once we have identified any affected patients, we will notify each individual and follow HIPAA breach notification protocols. Bloom Medicinals serves tens of thousands of patients in multiple states and we take patient privacy very seriously. Rest assured we will implement any corrective action necessary to both remedy, and ensure, this does not happen again.”