[BreachExchange] Nevada accidentally leaks thousands of medical marijuana dispensary applications
Inga Goddijn
inga at riskbasedsecurity.com
Wed Dec 28 17:31:53 EST 2016
http://www.zdnet.com/article/nevada-leaks-personal-data-on-thousands-of-medical-marijuana-dispensary-applicants/
Nevada's state government website has leaked the personal data on over
11,700 applicants for dispensing medical marijuana in the state.
Each application, eight pages in length, includes the person's full name,
home address, citizenship, and even their weight and height, race, and eye
and hair color. The applications also include the applicant's citizenship,
their driving license number (where applicable), and social security number.
We left a number of voicemails of applicants prior to publication. One
dispensary based in Las Vegas, who did not want to be named, confirmed
after we posted that their records were accurate.
But it's not immediately clear how many years the applications date back.
Security researcher Justin Shafer found the bug in the state's website
portal, allowing anyone with the right web address to access and enumerate
the thousands of applications.
Though the medical marijuana portal can be found with a crafted Google
search query, we're not publishing the web address out of caution until the
bug is fixed.
A spokesperson for the Nevada Dept. Health and Human Services, which runs
the medical marijuana application program, told ZDNet that the website has
been pulled offline to limit the vulnerability.
The spokesperson added that the leaked data was a "portion" of one of
several databases.
The state government will be notifying applicants in the next few days of
the leak in line with state law.
Nevada was one of the first states to legalize medical uses of marijuana
during the 2000 election, but uses were limited to patients with cancer,
HIV and AIDS, as well as chronic conditions, such as glaucoma and severe
pain, and had a valid doctor's note.
The state most recently voted to legalize recreational use
<http://www.cbsnews.com/news/live-updates-state-voting-results-on-recreational-marijuana-pot-legalization-election-day/>
of the drug.
[image: 11767-5.png][image: 11767-2.png]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161228/198a7fe4/attachment.html>
More information about the BreachExchange
mailing list