SPECIAL REPORT: Cannabis Users’ Sensitive Data Exposed in Data Breach
By: Noam Rotem and Ran Locar
vpnMentor Research Team
Led by internet privacy researchers Noam Rotem and Ran Locar, the vpnMentor research team
has discovered another data breach, this time attributed to THSuite, a point-of-sale system in the cannabis industry.
The team identified an unsecured Amazon S3 bucket owned by THSuite that exposed sensitive
data from multiple marijuana dispensaries around the US and their customers.
The leaked data included scanned government and employee IDs, exposing personally identifiable
information (PII) for over 30,000 individuals.
THSuite offers business process management software services to cannabis dispensary owners and operators in the US. Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws. The THSuite platform is designed to simplify this process for dispensary operators by automatically integrating with each state’s API traceability system.
As a consequence of this, the platform has access to a lot of private data related to dispensaries
and their customers.
Sometimes the extent of a data breach and the owner of the data are obvious, and the issue quickly
resolved. But rare are these times. Most often, we need days of investigation before we understand
what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to
publish accurate and trustworthy reports, ensuring everybody who reads them understands their
Some affected parties deny the facts, disregarding our research or playing down its impact. So,
we need to be thorough and make sure everything we find is correct and true.
In this case, we easily identified THSuite as the owner of the database and contacted the company
with our findings.
Over 85,000 files were leaked in this data breach, including over 30,000 records with sensitive
PII. The leak also included scanned government and company IDs stored in an Amazon S3 bucket
through the Amazon Simple Storage Service.
The leaked bucket contained so much data that it wasn’t possible for us to examine all the records
individually. Instead, we looked through a handful of random entries to understand what types of
data were exposed in the breach overall.
In the sample of entries we checked, we found information related to three marijuana dispensaries
in different locations around the US: Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company.
However, this breach affected many more dispensaries. It’s possible that all THSuite clients and
their customers were involved.
The researchers also found photographs of government-issued photo IDs and corresponding signatures of dispensary visitors and patients alike. Additionally, there are attestations for what appears to be each patient acknowledging state laws regarding purchase and use of cannabis-based medicine.
vpnMentor is the world’s largest VPN review website. Their research lab is a pro-bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data. More …
NB. While we exert full diligence and FactCheck all post material published, Argus News Group does not accept responsibility for the content or probity of third-party articles or websites.