Cannabis users’ sensitive data leaked in “serious” breach

22nd January 2020

Internet privacy researchers at vpnMentor have discovered a data breach in point-of-sale software used in the cannabis industry

The team, led by Noam Rotem and Ran Locar, identified an unsecured data repository owned by THSuite, which contained sensitive data from numerous marijuana dispensaries across the United States.

Among the leaked data were names, addresses, government and employee IDs and further personally identifiable information.

THSuite offers software to cannabis dispensaries across the US. In order to comply with state laws, dispensaries have to collect a large amount of data from each individual transacting. 

The THSuite platform is used to manage all of this data, plugging into each state’s traceability system through an API, making the process quicker and easier.

Over 85,000 files were found to have been leaked in the data breach, 30,000 of which included sensitive, personally identifiable information. According to vpnMentor, the leak also included scanned government and company IDs. 

READ MORE: Millions of fingerprints leaked in latest high-profile data breach

In a blogpost detailing the report, vpnMentor said: “The leaked bucket contained so much data that it wasn’t possible for us to examine all the records individually.

What is a User Journey
Trending
What is a User Journey

“In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US.”

Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company were among the worst-hit companies, but the breach affected many more dispensaries. vpnMentor even goes so far as to say that it is possible for all THSuite clients and customers to have had their data leaked.

“As a result of this data breach, sensitive personal information was exposed for medical marijuana patients, and possibly for recreational marijuana users as well. This raises some serious privacy concerns.

“Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally.

Under HIPAA regulations, vpnMentor state that it is a federal crime in the US for a health service provider to expose personal information. Violations can result in fines of up to $50,000 for each leaked record.

There is still a stigma around cannabis use. Some workplaces even prohibit it entirely. vpnMentor fears that individuals using cannabis either recreationally or for medical purposes may face consequences at their place of work, or even at home.

vpnMentor has contacted THSuite. At the time of publication, they had not yet received a reply. 

We think you'll like:

Luke Conrad

Technology & Marketing Enthusiast

Birmingham Unveils the UK’s Best Emerging HealthTech Advances

Kosta Mavroulakis • 03rd April 2025

The National HealthTech Series hosted its latest event in Birmingham this month, showcasing innovative startups driving advanced health technology, including AI-assisted diagnostics, wearable devices and revolutionary educational tools for healthcare professionals. Health stakeholders drawn from the NHS, universities, industry and front-line patient care met with new and emerging businesses to define the future trajectory of...

Why DEIB is Imperative to Tech’s Future

Hadas Almog from AppsFlyer • 17th March 2025

We’ve been seeing Diversity, Equity, Inclusion, and Belonging (DEIB) initiatives being cut time and time again throughout the tech industry. DEIB dedicated roles have been eliminated, employee resource groups have lost funding, and initiatives once considered crucial have been deprioritised in favour of “more immediate business needs.” The justification for these cuts is often the...

The need to eradicate platform dependence

Sue Azari • 10th March 2025

The advertising industry is undergoing a seismic shift. Connected TV (CTV), Retail Media Networks (RMNs), and omnichannel strategies are rapidly redefining how brands engage with consumers. As digital privacy regulations evolve and platform dynamics shift, advertisers must recognise a fundamental truth. You cannot build a sustainable business on borrowed ground. The recent uncertainty surrounding TikTok...

The need to clean data for effective insight

David Sheldrake • 05th March 2025

There is more data today than ever before. In fact, the total amount of data created, captured, copied, and consumed globally has now reached an incredible 149 zettabytes. The growth of the big mountain is not expected to slow down, either, with it expected to reach almost 400 zettabytes within the next three years. Whilst...

What can be done to democratize VDI?

Dennis Damen • 05th March 2025

Virtual Desktop Infrastructure (VDI) offers businesses enhanced security, scalability, and compliance, yet it remains a niche technology. One of the biggest barriers to widespread adoption is a severe talent gap. Many IT professionals lack hands-on VDI experience, as their careers begin with physical machines and increasingly shift toward cloud-based services. This shortage has created a...

Tech and Business Outlook: US Confident, European Sentiment Mixed

Viva Technology • 11th February 2025

The VivaTech Confidence Barometer, now in its second edition, reveals strong confidence among tech executives regarding the impact of emerging technologies on business competitiveness, particularly AI, which is expected to have the most significant impact in the near future. Surveying tech leaders from Europe and North America, 81% recognize their companies as competitive internationally, with...