A tech biz specializing in software for marijuana dispensaries inadvertently exposed to the public internet a database containing tens of thousands of mellow Americans' personal information.
The leak-busting team at vpnMentor took credit for unearthing the unprotected Amazon Web Services S3 storage bucket, owned by THSuite, a vendor that sells software to medical and recreational cannabis dispensaries to manage customer records and stay in compliance with state regulations.
Personal records, including scans of ID cards and purchase details, for more than 30,000 people were exposed to the public internet from this unsecured cloud silo, we're told. In addition to full names and pictures of customer ID cards, the 85,000 file collection is said to include email and mailing address, phone numbers, dates of birth, and the maximum amount of cannabis an individual is allowed to purchase. All available to download, unencrypted, if you knew where to look.
Because many US states have strict record-keeping requirements written into their marijuana legalization laws, dispensaries have to manage a certain amount of customer and inventory information. In the case of THSuite, those records were put into an S3 bucket that was left accessible to the open internet – including the Shodan.io search engine.
The bucket was taken offline last week after it was discovered on December 24, and its insecure configuration was reported to THSuite on December 26 and Amazon on January 7, according to vpnMentor. The S3 bucket's data belonged to dispensaries in Maryland, Ohio, and Colorado, we're told.
"Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws. The THSuite platform is designed to simplify this process for dispensary operators by automatically integrating with each state’s API traceability system," explained the vpnMentor team.
FBI, NSA to hackers: Let us be blunt. Weed need your help. We'll hire you even if you've smoked a little pot in the pastREAD MORE
"As a consequence of this, the platform has access to a lot of private data related to dispensaries and their customers."
In some cases the records also included specific transaction details, including variety and quantity purchased, total transaction cost, and the name of the employee who made the sale.
"While only three dispensaries were specifically named in the files vpnMentor analyzed, the researchers believe many more shops are included in the cache, and it is possible the bucket contained records for every dispensary that uses THSuite," said vpnMentor.
"The leaked bucket contained so much data that it wasn’t possible for us to examine all the records individually. Instead, we looked through a handful of random entries to understand what types of data were exposed in the breach overall."
A spokesperson for THSuite could not be reached for immediate comment. ®