[BreachExchange] Data leak strikes US cannabis users, sensitive information exposed

Fri Jan 24 09:55:35 EST 2020

https://www.zdnet.com/article/data-leak-strikes-us-cannabis-users-sensitive-information-exposed/

Another day, another leaky database -- and this one has impacted
30,000 people connected to the medical and recreational marijuana
industry.

On Wednesday, the research team from VPNMentor, led by Noam Rotem and
Ran Locar, said that an unsecured Amazon S3 bucket uncovered online
without any authentication or security in place was the source of the
leak.

The database, found on December 24, 2019 as part of the firm's web
scanning project, is reportedly owned by THSuite, described as "seed
to sale" software -- a Point-Of-Sale (POS) and management system used
in dispensaries across the United States.

Medical marijuana is now permissible by law in some US states.
However, dispensaries are held to strict legal standards to prevent
abuse or the flouting of state law, and as a result, automatic systems
like THSuite can make compliance and record-keeping easier for
operators.

However, you need security both at the front and back ends, and in
this case, the database backing POS systems appears to have fallen
short.

According to VPNMentor, personally identifiable information (PII)
belonging to 30,000 individuals was leaked. In total, over 85,000
files were exposed to anyone who stumbled across the database.

The full names of patients and staff members, dates of birth, phone
numbers, physical addresses, email addresses, medical ID numbers,
cannabis used, price, quantity, and receipts were all available to
view.

In addition, "scanned government and employee IDs" were recorded in
the leaky bucket, stored through the Amazon Simple Storage Service.

Rather than examine every record -- which would skirt the lines of
ethical behavior -- the researchers grabbed some random samples
related to dispensaries in Maryland, Ohio, and Colorado to ascertain
the depth of the leak.

Among the samples were records from Amedicanna Dispensary, including
customer PII and information related to the firm's inventory and
sales. Bloom Medicinals included similar PII, alongside cannabis
product lists, suppliers, price, monthly sales, discounts, returns,
and taxes paid. Colorado Grow Company's exposed information related to
monthly sales, discounts, taxes, employee names, and inventory lists.
It is likely that more dispensaries have been impacted.

As a medical data breach, it may be that there could be consequences
under the US Health Insurance Portability and Accountability Act
(HIPAA) of 1996, which demands strict security to be implemented by
controllers of protected health information (PHI). Under the law,
those who violate HIPAA can face multi-million-dollar fines or jail
time.

"Medical patients have a legal right to keep their medical information
private," the researchers say. "Those whose personal information was
leaked may face negative consequences both personally and
professionally."

Two days after the database was discovered, VPNMentor reached out to
THSuite but received no response. This led to the researchers
contacting Amazon AWS on January 7, 2020. A week later, access to the
database was revoked.

ZDNet has reached out to THSuite and impacted dispensaries and will
update when we hear back.