Is the Data You Give to Cannabis Dispensaries Safe?
Personal data from 30,000 cannabis customers leaked from an Amazon Web Services bucket used by a Seattle-area dispensary management software. You should be worried.
Big Weed exists in the age of Big Data, meaning the cannabis industry is vulnerable to all the same attacks and hacks as everyone else.
This was demonstrated with the revelation two weeks ago that an Amazon Web Services storage bucket, containing point of sales data from 30,000 cannabis dispensary customers and more than 85,000 individual data files, was left open, unencrypted, and unsecured. Anyone internet-savvy enough to notice — and malicious enough to use the data — could have accessed the customers’ government IDs as well as personal information like their age, address, driver’s license numbers, phone numbers, and signatures, as privacy and security outlet SC Magazine noted.
Which means this problem is real, it’s big, and it’s not going away anytime soon. And, depending on how your favorite dispensary manages your data, your data is almost certainly being stored digitally, somewhere, and is a potential target.
The open data bucket, first discovered on Dec. 24 and closed on Jan. 14, was managed by THSuite, a Seattle-area point-of-sale system used by dispensaries in Maryland, Ohio, and Colorado. (vpnMentor discovered the data, open and unencrypted, as part of its ongoing web-mapping project; THSuite also didn’t respond to vpnMentor when they were told of the leak, according to SC Magazine.)
More dispensaries who used THSuite could be implicated; the researchers said the data trove was simply too big to quantify and they checked out only a handful of files to see what was exposed.
As vpnMentor pointed out, dispensaries collect loads of personal data from anyone who shops there, because they have to, thus creating an extremely attractive pot of data for hackers. This is a liability for medical-marijuana dispensaries, who might run afoul of federal HIPAA requirements for leaving medical patients’ records unsecured, but it’s probably a wider concern for cannabis dispensary customers — particularly in states where simply being a cannabis user can lead to complications at work and elsewhere.
The problem is that this is at least partially a problem of government. Laws in most states, including California, requires dispensaries to keep customer data in order to ensure that they’re complying with state law and not selling weed to underage customers. Along with that minimum, many dispensaries also record sales trend data.
To manage all this information in a way that’s not paper ledger or shoebox in the attic, dispensaries in many states are turning to cloud-based software solutions like THSuite —to manage inventory but also to comply with onerous state laws including track-and-trace as well as age verification.
Another problem is that many dispensaries appear to interpret state law too broadly and retain too much data.
“Current law and regulation require cannabis licensees retain certain records, including receipts, for seven years,” as the California state legislative analyst noted recently. “The regulations do not explicitly require licensees to retain the personal information that they have collected as part of a sale for seven years, although some licensees may interpret the record retention requirement to apply to that information.”
That prompted state lawmakers to pass and former Gov. Jerry Brown to sign into law a prohibition on selling personal data to third parties, but that data is still out there, somewhere. There are cloud options that are secure and HIPAA compliant such as Truevault. In this instance, it seems THSuite just used a poor solution — an unsecured Amazon S3 bucket — rather than something more secure.
So what do you do with this? Cannabis customers should feel empowered to ask dispensaries what data they collect and where they store it. If they can’t or won’t answer, or you don’t like the answer, you should feel compelled to shop somewhere else. But onerous and often vague state laws requiring dispensaries to hang onto so much personal data ought also be revisited. If liquor stores don’t create huge troves of attractive data, why do dispensaries? As usual, the answer is “because it’s weed,” and that answer is creating extra trouble for everybody.
Roberts, ByChris. “Is the Data You Give to Cannabis Dispensaries Safe?” Cannabis Now, 3 Feb. 2020, cannabisnow.com/is-the-data-you-give-to-cannabis-dispensaries-safe/.