BreachExchange mailing list archives
Data leak strikes US cannabis users, sensitive information exposed
From: Destry Winant <destry () riskbasedsecurity com>
Date: Fri, 24 Jan 2020 08:55:35 -0600
https://www.zdnet.com/article/data-leak-strikes-us-cannabis-users-sensitive-information-exposed/ Another day, another leaky database -- and this one has impacted 30,000 people connected to the medical and recreational marijuana industry. On Wednesday, the research team from VPNMentor, led by Noam Rotem and Ran Locar, said that an unsecured Amazon S3 bucket uncovered online without any authentication or security in place was the source of the leak. The database, found on December 24, 2019 as part of the firm's web scanning project, is reportedly owned by THSuite, described as "seed to sale" software -- a Point-Of-Sale (POS) and management system used in dispensaries across the United States. Medical marijuana is now permissible by law in some US states. However, dispensaries are held to strict legal standards to prevent abuse or the flouting of state law, and as a result, automatic systems like THSuite can make compliance and record-keeping easier for operators. However, you need security both at the front and back ends, and in this case, the database backing POS systems appears to have fallen short. According to VPNMentor, personally identifiable information (PII) belonging to 30,000 individuals was leaked. In total, over 85,000 files were exposed to anyone who stumbled across the database. The full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts were all available to view. In addition, "scanned government and employee IDs" were recorded in the leaky bucket, stored through the Amazon Simple Storage Service. Rather than examine every record -- which would skirt the lines of ethical behavior -- the researchers grabbed some random samples related to dispensaries in Maryland, Ohio, and Colorado to ascertain the depth of the leak. Among the samples were records from Amedicanna Dispensary, including customer PII and information related to the firm's inventory and sales. Bloom Medicinals included similar PII, alongside cannabis product lists, suppliers, price, monthly sales, discounts, returns, and taxes paid. Colorado Grow Company's exposed information related to monthly sales, discounts, taxes, employee names, and inventory lists. It is likely that more dispensaries have been impacted. As a medical data breach, it may be that there could be consequences under the US Health Insurance Portability and Accountability Act (HIPAA) of 1996, which demands strict security to be implemented by controllers of protected health information (PHI). Under the law, those who violate HIPAA can face multi-million-dollar fines or jail time. "Medical patients have a legal right to keep their medical information private," the researchers say. "Those whose personal information was leaked may face negative consequences both personally and professionally." Two days after the database was discovered, VPNMentor reached out to THSuite but received no response. This led to the researchers contacting Amazon AWS on January 7, 2020. A week later, access to the database was revoked. ZDNet has reached out to THSuite and impacted dispensaries and will update when we hear back. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Data leak strikes US cannabis users, sensitive information exposed Destry Winant (Jan 24)