THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

January 22, 2020

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach in THSuite, a point-of-sale system in the cannabis industry.

The research team identified an unsecured Amazon S3 bucket owned by THSuite that exposed 85,000 files of sensitive data from multiple marijuana dispensaries around the U.S. and their customers. The leaked data included scanned government and employee IDs, exposing personally identifiable information (PII) for over 30,000 individuals.

THSuite offers business process management software services to cannabis dispensary owners and operators in the US. Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws, says the report. According to THSuite, the THSuite platform is designed to simplify this process for dispensary operators by automatically integrating with each state’s API traceability system.

In the sample of entries the vpnMentor team checked, they found information related to three marijuana dispensaries in different locations around the U.S.: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company. The vpnMentor team says that the breach affected many more dispensaries, and that it’s possible that all THSuite clients and their customers were involved.

The researchers also found photographs of government-issued photo IDs and corresponding signatures of dispensary visitors and patients alike. Additionally, there are attestations for what appears to be each patient acknowledging state laws regarding purchase and use of cannabis-based medicine.

Under HIPAA regulations, it’s a federal crime in the U.S. for any health services provider to expose protected health information (PHI) that could be used to identify an individual. As a result of the data breach, the researchers say that THSuite could be subject to HIPAA violations, which can result in fines of up to $50,000 for every exposed record, or even in jail time.

In addition, the researchers say that hackers and scammers can take advantage of personal details exposed in the data breach about dispensary customers and employees to create highly effective personalized phishing attacks.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

Related Articles

Report Abusive Comment