THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

January 22, 2020

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach in THSuite, a point-of-sale system in the cannabis industry.

The research team identified an unsecured Amazon S3 bucket owned by THSuite that exposed 85,000 files of sensitive data from multiple marijuana dispensaries around the U.S. and their customers. The leaked data included scanned government and employee IDs, exposing personally identifiable information (PII) for over 30,000 individuals.

THSuite offers business process management software services to cannabis dispensary owners and operators in the US. Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws, says the report. According to THSuite, the THSuite platform is designed to simplify this process for dispensary operators by automatically integrating with each state’s API traceability system.

In the sample of entries the vpnMentor team checked, they found information related to three marijuana dispensaries in different locations around the U.S.: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company. The vpnMentor team says that the breach affected many more dispensaries, and that it’s possible that all THSuite clients and their customers were involved.

The researchers also found photographs of government-issued photo IDs and corresponding signatures of dispensary visitors and patients alike. Additionally, there are attestations for what appears to be each patient acknowledging state laws regarding purchase and use of cannabis-based medicine.

Under HIPAA regulations, it’s a federal crime in the U.S. for any health services provider to expose protected health information (PHI) that could be used to identify an individual. As a result of the data breach, the researchers say that THSuite could be subject to HIPAA violations, which can result in fines of up to $50,000 for every exposed record, or even in jail time.

In addition, the researchers say that hackers and scammers can take advantage of personal details exposed in the data breach about dispensary customers and employees to create highly effective personalized phishing attacks.

In today's world of growing dependence on digital landscape expansion, companies are becoming more reliant upon cloud-based security services that protect both the company and customers they service.

Join a fast-paced webinar on October 7 when 3xLOGIC’s experts discuss the many advantages of cloud surveillance. Learn why end users are demanding cloud solutions, and how this can empower business owners to view, manage, and share video from anywhere, at any time, on any device.

Poll

Which metric comparing peer organizations to yours would be most beneficial for your security program?

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.