THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

January 22, 2020

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach in THSuite, a point-of-sale system in the cannabis industry.

The research team identified an unsecured Amazon S3 bucket owned by THSuite that exposed 85,000 files of sensitive data from multiple marijuana dispensaries around the U.S. and their customers. The leaked data included scanned government and employee IDs, exposing personally identifiable information (PII) for over 30,000 individuals.

THSuite offers business process management software services to cannabis dispensary owners and operators in the US. Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws, says the report. According to THSuite, the THSuite platform is designed to simplify this process for dispensary operators by automatically integrating with each state’s API traceability system.

In the sample of entries the vpnMentor team checked, they found information related to three marijuana dispensaries in different locations around the U.S.: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company. The vpnMentor team says that the breach affected many more dispensaries, and that it’s possible that all THSuite clients and their customers were involved.

The researchers also found photographs of government-issued photo IDs and corresponding signatures of dispensary visitors and patients alike. Additionally, there are attestations for what appears to be each patient acknowledging state laws regarding purchase and use of cannabis-based medicine.

Under HIPAA regulations, it’s a federal crime in the U.S. for any health services provider to expose protected health information (PHI) that could be used to identify an individual. As a result of the data breach, the researchers say that THSuite could be subject to HIPAA violations, which can result in fines of up to $50,000 for every exposed record, or even in jail time.

In addition, the researchers say that hackers and scammers can take advantage of personal details exposed in the data breach about dispensary customers and employees to create highly effective personalized phishing attacks.

Career Focus: The Evolving Role of the Security Executive

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.

Security measures today tend to focus on controlling access, albeit with limitations. Many organizations, for example, know how many people have entered a secure location, but not how many have left.

Poll

Video Surveillance

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

THSuite, POS System in Cannabis Industry, Leaks 85,000 Files

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.