A misconfigured Amazon Web Services S3 storage bucket was discovered leaking data that had been collected by a point-of-sale system used by multiple cannabis dispensaries, researchers from vpnMentor reported on Wednesday.
The exposed bucket, which was found on Christmas eve and closed by Jan. 14, was found to contain more than 85,000 files. These included scanned government and employee photo IDs of over 30,000 individuals, the signatures of dispensary visitors and patients, and customer attestations acknowledging state cannabis laws, according to a vpnMentor company blog post.
vpnMentor researchers Noam Rotem and Ran Locar spotted the open database while conducting their ongoing web mapping project, and determined that it belonged to THSuite, a Seattle-based software supplier to the cannabis industry.
The records found within the storage bucket correspond to the customer sales data of various marijuana dispensaries using THSuite's POS solution. The researchers specifically named three of the affected dispensaries: Amedicanna Dispensary in Maryland, Bloom Medicinals in Ohio (with corporate headquarters in Florida) and Colorado Grow Company in Colorado.
Depending on the dispensary, the exposed order and inventory data at times also included names, phone numbers, email addresses, birthdates, street addresses, medical/state ID numbers and expirations dates, date of first purchase, cannabis varieties purchased, quantities of purchase, cannabis gram limits, transaction cost, date received, and whether or a customer requested financial assistance. Additionally, the researchers observed Bloom Medicinals' monthly sales, discounts returns and taxes paid, and Colorado Grow Company's gross sales, discounts, taxes, net sales, totals for each payment type, employee names and the number of hours employees worked.
SC Media reached out to all three named dispensaries, as well as to THSuite, for comment.
"We have been made aware that our third-party technology provider, THSuite, experienced a data breach which may have affected some of our patients' data," said RJ Starr, head of compliance and regulatory affairs at Bloom Medicinals, in a statement. "... We are working closely with our technology vendor to identify which, if any, of Bloom Medicinals patients have been affected. Once we have identified any affected patients, we will notify each individual, and follow all state and federal breach notification requirements."
"As a result of this data breach, sensitive personal information was exposed for medical marijuana patients, and possibly for recreational marijuana users as well. This raises some serious privacy concerns," vpnMentor stated in its blog post, noting that the incident could very well constitute a HIPAA violation. "Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally."
"Many workplaces have specific policies prohibiting cannabis use. Customers and patients may face consequences at work due to their cannabis use being exposed. Some could even lose their jobs, especially if they work for a federal agency," the blog post continued. Additionally, customers could be subject to targeted phishing scams that leverage the vast amount of information gleaned from the leaky storage bucket.
It is not known if any malicious parties accessed any of the leaked data. vpnMentor said it alerted THSuite of the problem on Dec. 26, and subsequently contacted Amazon AWS on Jan. 7. It is not clear whether it was THSuite or Amazon that resolved the issue on Jan. 14; however, vpnMentor told SC Media that THSuite never replied to the researchers' private disclosure of the leak.
"Cannabis businesses should strive to comply with all applicable local, state, and federal laws, with the exception of the cannabis-related portions of the Controlled Substances Act of course," said Morgan Fox, media relations director at the National Cannabis Industry Association. "In this case, I'm glad that this vulnerability was discovered by researchers and corrected, but I don't think the affected businesses should be accountable for an omission by a single service provider. They should certainly warn their customers of the potential breach though."
"Overall, I don't think this incident will have a significant negative impact on the regulated cannabis industry or tarnish its reputation. This could happen in any industry and it appears to be pretty limited in scope," Fox continued.
"It seems like every week we hear about another company that's left an AWS bucket unprotected, leaving sensitive data exposed. We will continue to see an escalation in these types of incidents because of the complexity of gaining visibility and managing over privileged identities in a multi-cloud enterprise environment," said CloudKnox COO Raj Mallempati. "Enterprises need to proactively address these security risks by understanding their cloud infrastructure risk posture and delivering continuous detection and remediation of over-privileged human and machine identities."
"No matter what industry you're in, if you collect customer data and use cloud storage, you absolutely must ensure that storage is protected from exposure," added Tim Erlin, VP of product management and strategy at Tripwire." Unsecured Amazon S3 buckets are not a new phenomenon. There are tools, from Amazon and from other vendors, to help with this problem."
