THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

January 22, 2020

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach in THSuite, a point-of-sale system in the cannabis industry.

The research team identified an unsecured Amazon S3 bucket owned by THSuite that exposed 85,000 files of sensitive data from multiple marijuana dispensaries around the U.S. and their customers. The leaked data included scanned government and employee IDs, exposing personally identifiable information (PII) for over 30,000 individuals.

THSuite offers business process management software services to cannabis dispensary owners and operators in the US. Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws, says the report. According to THSuite, the THSuite platform is designed to simplify this process for dispensary operators by automatically integrating with each state’s API traceability system.

In the sample of entries the vpnMentor team checked, they found information related to three marijuana dispensaries in different locations around the U.S.: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company. The vpnMentor team says that the breach affected many more dispensaries, and that it’s possible that all THSuite clients and their customers were involved.

The researchers also found photographs of government-issued photo IDs and corresponding signatures of dispensary visitors and patients alike. Additionally, there are attestations for what appears to be each patient acknowledging state laws regarding purchase and use of cannabis-based medicine.

Under HIPAA regulations, it’s a federal crime in the U.S. for any health services provider to expose protected health information (PHI) that could be used to identify an individual. As a result of the data breach, the researchers say that THSuite could be subject to HIPAA violations, which can result in fines of up to $50,000 for every exposed record, or even in jail time.

In addition, the researchers say that hackers and scammers can take advantage of personal details exposed in the data breach about dispensary customers and employees to create highly effective personalized phishing attacks.

You must login or register in order to post a comment.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

Related Articles

Report Abusive Comment

The latest news and information

Content written for business-minded executives who manage enterprise risk and security