THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

January 22, 2020

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach in THSuite, a point-of-sale system in the cannabis industry.

The research team identified an unsecured Amazon S3 bucket owned by THSuite that exposed 85,000 files of sensitive data from multiple marijuana dispensaries around the U.S. and their customers. The leaked data included scanned government and employee IDs, exposing personally identifiable information (PII) for over 30,000 individuals.

THSuite offers business process management software services to cannabis dispensary owners and operators in the US. Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws, says the report. According to THSuite, the THSuite platform is designed to simplify this process for dispensary operators by automatically integrating with each state’s API traceability system.

In the sample of entries the vpnMentor team checked, they found information related to three marijuana dispensaries in different locations around the U.S.: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company. The vpnMentor team says that the breach affected many more dispensaries, and that it’s possible that all THSuite clients and their customers were involved.

The researchers also found photographs of government-issued photo IDs and corresponding signatures of dispensary visitors and patients alike. Additionally, there are attestations for what appears to be each patient acknowledging state laws regarding purchase and use of cannabis-based medicine.

Under HIPAA regulations, it’s a federal crime in the U.S. for any health services provider to expose protected health information (PHI) that could be used to identify an individual. As a result of the data breach, the researchers say that THSuite could be subject to HIPAA violations, which can result in fines of up to $50,000 for every exposed record, or even in jail time.

In addition, the researchers say that hackers and scammers can take advantage of personal details exposed in the data breach about dispensary customers and employees to create highly effective personalized phishing attacks.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

The event will look at the in-car and off-board infrastructure cybersecurity policies, technologies, services, and products that will enable top OEMs and suppliers to strengthen their products’ defenses, mitigation, and resilience.

Security Magazine

2020 August

This month in Security magazine, we examine how physical security leaders are being propelled into a unique position of revenue preservers and risk managers for their businesses. In addition, we profile Scott Ashworth, Director of Security for Atlanta United. Also, security leaders discuss how to develop cybersecurity careers, election security, data protection strategies, measuring and reporting security operations maturity and more!

View More Create Account

THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

Related Articles

Microsoft: New Wormable, Unpatched Bug in SMB File-Sharing System

VISA Alerts to Cyber Attacks on Gas Pump PoS Systems

Report Abusive Comment

Security Magazine

2020 August