Why These Breaches Matter to Your Business

The cannabis industry has a data breach problem. And it’s getting worse.

Since legalization began spreading across states and countries, the industry has accumulated a troubling track record of exposing customer data, patient records, employee information, and business-critical systems. These aren’t hypothetical threats—they’re documented incidents that cost real businesses millions of dollars and exposed millions of people to identity theft, fraud, and privacy violations.

For medical dispensaries, the stakes are even higher. Patient health information carries HIPAA-level protection requirements, and the stigma still attached to cannabis use means exposure can have life-altering consequences for customers.

This article examines the 10 most significant data breaches in cannabis history, what went wrong, and—most importantly—what you can learn to protect your business.

Case Study #1: STIIIZY (2024)

The Breach at a Glance

Detail Information

Company STIIIZY (Los Angeles-based cannabis retailer)

Date Discovered November 20, 2024

Attack Window October 10 - November 10, 2024

Records Exposed 380,000 customers

Attack Vector Point-of-sale vendor compromise

Threat Actor Everest Ransomware Group

What Happened

STIIIZY, one of California’s largest cannabis operators, learned in late November 2024 that their point-of-sale processing vendor had been compromised by an organized cybercrime group. The attackers gained access to customer data for approximately one month before detection.

The breach affected four STIIIZY retail locations in California and exposed an extraordinarily comprehensive set of customer data.

Data Exposed

  • Full names, addresses, and dates of birth
  • Driver’s license numbers
  • Passport numbers
  • Photographs from government IDs
  • Signatures from government IDs
  • Medical cannabis card details
  • Complete transaction histories

This level of exposure is particularly devastating because it provides everything needed for sophisticated identity theft and fraud.

Key Lessons

Third-party risk is your risk. STIIIZY’s own systems weren’t directly breached—their vendor was. But from the customer’s perspective, STIIIZY failed to protect their data. You are responsible for the security of every vendor that touches your customer information.

POS systems are prime targets. Point-of-sale systems process the most sensitive customer data and are consistently targeted by attackers. Segment these systems, monitor them closely, and hold vendors to strict security standards.

The Everest gang is targeting cannabis. Within one week of the STIIIZY disclosure, a second cannabis operator appeared on Everest’s dark web victim blog—listed as a client of the first victim’s vendor. This wasn’t random—the cannabis industry is now explicitly on their target list.

The Complete Dispensary Cybersecurity Hardening Guide: Protect Your Business Before You’re the Next Stiiizy420,000+ customer records exposed. Passports leaked. Purchase histories published. Don’t let this happen to you. The Wake-Up Call: Stiiizy Breach (January 2025) On January 10, 2025, Stiiizy—one of the largest cannabis brands in California—confirmed a devastating data breach. The Everest ransomware gang stole data from over 420,Canna SecureCannaSecure

Case Study #2: Ohio Marijuana Card (2025)

The Breach at a Glance

Detail Information

Company Ohio Medical Alliance LLC (Ohio Marijuana Card)

Date Discovered July 2025

Records Exposed ~1 million patient files (323 GB)

Attack Vector Unsecured database (no password, no encryption)

Threat Actor None required—data was publicly accessible

What Happened

In July 2025, cybersecurity researcher Jeremiah Fowler discovered an unsecured database belonging to Ohio Marijuana Card, an organization that helps individuals obtain physician-certified medical marijuana cards. The database was completely unprotected—no password, no encryption, no firewall.

The 323-gigabyte database sat exposed on the open internet, containing nearly one million patient files.

Data Exposed

  • Full names and Social Security numbers
  • Dates of birth and home addresses
  • Driver’s license images
  • Medical intake forms
  • Physician certifications
  • Internal staff notes
  • Offender release cards (for people reentering society after incarceration)
  • 200,000+ email addresses of employees, business associates, and customers

Key Lessons

Basic security hygiene matters most. This wasn’t a sophisticated attack—the database was simply left open. Password protection and encryption are baseline requirements, not optional extras.

Medical cannabis data requires healthcare-level security. When you’re collecting medical intake forms and physician certifications, you’re handling protected health information. The security standards of traditional healthcare should apply.

Vulnerable populations face amplified harm. The exposure of offender release cards shows how cannabis data breaches can disproportionately harm already vulnerable populations.

Case Study #3: THSuite (2020)

The Breach at a Glance

Detail Information

Company THSuite (point-of-sale software for dispensaries)

Date Discovered December 24, 2019

Date Secured January 14, 2020

Records Exposed 30,000+ individuals confirmed (likely more)

Attack Vector Unsecured Amazon S3 bucket

Dispensaries Affected Amedicanna Dispensary (MD), Bloom Medicinals (OH), Colorado Grow Company (CO), and potentially all THSuite clients

What Happened

Security researchers from vpnMentor discovered an unsecured Amazon S3 bucket belonging to THSuite, a point-of-sale software company serving cannabis dispensaries. The bucket contained so much data that researchers couldn’t examine all records individually.

THSuite never responded to the disclosure. The bucket was only secured after researchers contacted Amazon directly.

Data Exposed

Patient/Customer Information:

  • Full names, phone numbers, dates of birth
  • Medical ID numbers
  • Scanned government-issued photo IDs
  • Signatures
  • Patient attestations acknowledging state cannabis laws
  • Gram limits and purchase records

Business Information:

  • Monthly sales reports and compliance reports
  • Inventory lists with product names, descriptions, costs
  • Employee payroll records and hours worked
  • Sales breakdowns by payment method and product type

Key Lessons

Cloud misconfigurations are epidemic. Amazon S3 bucket misconfigurations are one of the most common causes of data breaches across all industries. If you use cloud storage, verify your security settings.

Vendor responsiveness matters. THSuite’s failure to respond to the security disclosure is a red flag. When evaluating vendors, ask about their vulnerability disclosure process and incident response capabilities.

The exposure extends beyond customers. Employee payroll data, business financials, and operational details were all exposed—creating risks for everyone connected to the dispensaries.

Case Study #4: MJ Freeway (2016-2018)

The Breach at a Glance

Detail Information

Company MJ Freeway (seed-to-sale tracking software)

Attack Window November 2016 - 2018 (multiple incidents)

Dispensaries Affected 1,000+ clients in 23 states

Attack Types Data theft, system destruction, source code theft

State Contracts Affected Pennsylvania, Washington, others

What Happened

MJ Freeway suffered what can only be described as a cybersecurity catastrophe spanning multiple years and incidents.

November 2016: Attackers stole client data including birthdates and contact information for businesses and patients. MJ Freeway didn’t discover this theft until investigating a later attack.

January 2017: Hackers took down both MJ Freeway’s production and backup servers, causing outages for all clients. The attack corrupted data and forced dispensaries nationwide to track sales by hand or close temporarily.

June 2017: Portions of MJ Freeway’s source code were stolen and posted publicly on GitLab and discussed on Reddit. This exposure revealed potential vulnerabilities in the software.

February 2018: Washington State’s cannabis traceability database (operated by MJ Freeway’s Leaf Data Systems) was breached. Attackers downloaded a full copy of the database, including delivery schedules, vehicle information, and license plates.

Data Exposed

  • Customer/patient birthdates and contact information
  • Business operational data
  • Delivery manifests with driver information
  • Vehicle identification and license plate numbers
  • Source code (enabling future attacks)

Key Lessons

Backup systems need protection too. The January 2017 attack took down both production AND backup servers. Offline, air-gapped backups are essential.

Security debt compounds. Each breach made subsequent breaches more likely. The source code theft exposed vulnerabilities; the persistent attacks suggested ongoing access.

State contracts don’t guarantee security. MJ Freeway held multiple state government contracts during these breaches. Government selection doesn’t validate a vendor’s security posture.

Recovery claims should be verified. MJ Freeway claimed to recover 90% of client data, but many clients disputed this. Document your own data independently.

Case Study #5: Eaze / Don Davidson MD (2017)

The Breach at a Glance

Detail Information

Companies Eaze (cannabis delivery) / Don Davidson MD (medical recommendations)

Date Discovered June 26, 2017

Records Exposed Unknown (potentially substantial)

Attack Vector Insider threat (former employee)

Ransom Demanded $70 million

What Happened

A former employee of Don Davidson MD, a medical service provider offering cannabis recommendations via phone and video chat, gained unauthorized access to the clinic’s electronic medical records system. Because Don Davidson MD processed medical cannabis recommendations that fed into Eaze’s delivery platform, the breach potentially affected both companies’ customers.

According to sources with knowledge of the situation, the stolen data was being held for a $70 million ransom—an astronomical figure that suggests either a large data set or particularly sensitive information.

Data Exposed

  • Patient names and phone numbers
  • Patient notes from medical consultations
  • Medical cannabis recommendation records

Key Lessons

Insider threats are real. This breach didn’t come from an external hacker—it came from a former employee who retained or obtained unauthorized access. Implement proper offboarding procedures and monitor for unauthorized access attempts.

Medical partners share your risk. Eaze’s security depended on Don Davidson MD’s security. When you partner with medical providers or recommendation services, their security posture becomes part of yours.

Ransom demands can be massive. A $70 million demand shows how valuable attackers consider cannabis customer data. The combination of medical information, purchase history, and personal details creates high-value targets.

Case Study #6: Ontario Cannabis Store / Canada Post (2018)

The Breach at a Glance

Detail Information

Companies Ontario Cannabis Store (government retailer) / Canada Post (delivery)

Date Discovered November 1, 2018

Records Exposed 4,500 customers (~2% of orders)

Attack Vector Vulnerability in Canada Post tracking tool

Context Just weeks after Canada legalized recreational cannabis

What Happened

Just three weeks after Canada legalized recreational cannabis on October 17, 2018, the Ontario Cannabis Store experienced its first data breach. A customer discovered they could access other customers’ delivery information through a vulnerability in Canada Post’s tracking tool and reported it to Canada Post.

The breach occurred through the delivery partner, not the cannabis store itself—but from customers’ perspectives, it was their cannabis purchase data that was exposed.

Data Exposed

  • Postal codes
  • Names or initials of people who signed for deliveries
  • Dates of delivery
  • OCS reference numbers
  • Canada Post tracking numbers

While payment information and order contents weren’t exposed, the fact that someone ordered from the Ontario Cannabis Store was revealed—potentially outing cannabis users who hadn’t disclosed their use to family, employers, or others.

Key Lessons

Launch periods are high-risk periods. This breach occurred just weeks after legalization, when systems were new and under heavy load. Extra security vigilance during launches is essential.

Delivery partners need security scrutiny. Canada Post’s tracking system created the vulnerability. When selecting delivery partners, evaluate their data security practices.

“Limited” breaches still matter. Even though addresses and order contents weren’t exposed, revealing that someone purchased cannabis can have social and professional consequences in some contexts.

Case Study #7: Nevada Medical Marijuana Program (2016)

The Breach at a Glance

Detail Information

Organization Nevada Division of Public and Behavioral Health

Date Discovered December 28, 2016

Records Exposed 11,700+ applicants

Attack Vector Exposed portal / URL manipulation

Context Just before recreational legalization took effect

What Happened

Security researcher Justin Schafer discovered that Nevada’s Medical Marijuana Program portal was exposing full, unredacted PDF applications for anyone who knew how to access them. Simple URL manipulation allowed retrieval of over 11,700 application forms.

The applications belonged to people applying to work in medical marijuana establishments—owners, officers, board members, employees, and volunteers. The state initially called this a “cyberattack,” but it was actually a misconfiguration that left sensitive documents accessible on the open internet.

Data Exposed

  • Full names and positions
  • Physical and mailing addresses
  • Dates of birth
  • Complete Social Security numbers
  • Telephone numbers and citizenship status
  • Driver’s license numbers
  • Hair and eye color, height and weight

Key Lessons

Government systems aren’t inherently secure. State-operated cannabis databases face the same security challenges as private systems, sometimes with fewer resources to address them.

Employee/applicant data is as sensitive as customer data. This breach didn’t expose patient information—it exposed the personal details of people trying to work in the industry. Both categories require protection.

URL security is fundamental. The ability to access documents through URL manipulation indicates basic security failures that should be caught in any security review.

Case Study #8: Würk (2024)

The Breach at a Glance

Detail Information

Company Würk (cannabis industry HR and payroll platform)

Date Discovered December 21, 2023

Records Exposed 2.5 million records

Attack Vector MongoDB misconfiguration (passwordless database)

Data Type Employee payroll and HR information

What Happened

Security researcher Bob Diachenko discovered that Würk, a leading HR and payroll platform serving the cannabis industry, had left a MongoDB database exposed without password protection. The database was publicly accessible to anyone using basic tools—no sophisticated hacking required.

Würk disputed the severity, stating that “no substantial information was compromised.” However, researchers documented extensive exposure of sensitive employee data.

Data Exposed

  • Employee payroll records
  • Addresses and dates of birth
  • Employment details (start dates, termination dates)
  • Encrypted Social Security numbers

Key Lessons

HR and payroll systems are high-value targets. These systems contain comprehensive employee information that’s valuable for identity theft and fraud.

Database misconfiguration is a recurring theme. Like the THSuite breach, this exposure resulted from a simple misconfiguration, not a sophisticated attack. Regular security audits should check for these basic vulnerabilities.

Encryption isn’t a complete solution. While Social Security numbers were encrypted, other sensitive data was not. Encryption should be comprehensive, not selective.

Case Study #9: Washington State Leaf Data Systems (2018)

The Breach at a Glance

Detail Information

System Washington State cannabis traceability system

Vendor MJ Freeway (Leaf Data Systems)

Date Discovered February 3, 2018 (Saturday)

Date Disclosed February 8, 2018 (Thursday)

Records Exposed Full traceability database downloaded

Impact Statewide cannabis commerce disruption

What Happened

Just days after Washington State launched its new cannabis traceability system (Leaf Data Systems, provided by MJ Freeway), attackers exploited a computer vulnerability and downloaded a complete copy of the state’s cannabis traceability database.

The breach wasn’t disclosed to cannabis businesses until five days after discovery. Meanwhile, thousands of producers, processors, and retailers struggled with system issues that were actually caused by the cyberattack.

Data Exposed

  • Complete traceability database
  • Delivery schedules (February 1-4, 2018)
  • Route manifest information
  • Vehicle identification numbers
  • License plate numbers
  • Driver information

Key Lessons

Government-mandated systems create centralized targets. When states require all cannabis businesses to use a single traceability system, they create a single point of failure. A breach of that system affects the entire industry.

Disclosure delays harm businesses. The five-day gap between discovery and disclosure left businesses scrambling to troubleshoot problems they didn’t understand. Transparent, timely communication during incidents is essential.

Operational data has security implications. Delivery routes, vehicle information, and schedules could enable physical theft or targeted attacks on cannabis shipments.

Case Study #10: Dr. Ansay (2025-2026)

The Breach at a Glance

Detail Information

Company Dr. Ansay (European online medical service)

Date Range Late 2025 - January 2026

Records Exposed 500,000 customers, 1.7 million prescription records

Attack Vector Firebase database access control failure (IDOR)

Previous Breach May 2024 (PDF prescriptions indexed by search engines)

What Happened

Dr. Ansay, a Malta-based online medical service provider offering cannabis prescriptions across Europe, suffered its second major data breach within two years. The vulnerability—an Insecure Direct Object Reference (IDOR)—allowed any authenticated user to access other patients’ prescription records by manipulating their request.

Whistleblowers attempted to contact Dr. Ansay repeatedly in late 2025, but the company didn’t respond, attributing silence to Christmas holidays. The vulnerability remained active until a German technology news outlet intervened in January 2026.

Data Exposed

  • Patient prescription records (1.7 million)
  • Medical cannabis prescription details
  • Other sensitive medical information

Key Lessons

Repeat breaches indicate systemic problems. When a company suffers multiple breaches, it suggests fundamental issues with their security culture, not just isolated incidents.

Access controls require testing. IDOR vulnerabilities occur when applications don’t properly verify that users should have access to the data they’re requesting. This is a testable vulnerability that should be caught during security reviews.

Response time matters. Ignoring security reports for weeks—even over holidays—is unacceptable when patient data is at risk. Incident response processes must operate year-round.

Common Themes Across All Breaches

Analyzing these 10 breaches reveals consistent patterns that every cannabis business should address:

1. Vendor and Third-Party Risk

Six of these ten breaches involved third-party vendors (STIIIZY, THSuite, Eaze, Ontario/Canada Post, MJ Freeway, Würk). Your security is only as strong as your weakest vendor.

Action Items:

  • Conduct security assessments before selecting vendors
  • Require SOC 2 certification or equivalent
  • Include security requirements in contracts
  • Monitor vendor security continuously

2. Basic Security Failures

Several breaches resulted from elementary mistakes: passwordless databases (Ohio Marijuana Card, Würk), exposed cloud storage (THSuite), and simple URL manipulation (Nevada). These aren’t sophisticated attacks.

Action Items:

  • Implement password protection and encryption on all databases
  • Conduct regular security audits focusing on basic controls
  • Verify cloud storage security configurations
  • Test for common vulnerabilities

3. Medical Data Magnifies Harm

Breaches involving medical cannabis patients (Ohio Marijuana Card, THSuite, Eaze, Dr. Ansay) carry amplified consequences because of HIPAA requirements and the personal sensitivity of health information.

Action Items:

  • Apply healthcare-level security standards to patient data
  • Implement proper HIPAA compliance programs
  • Minimize data collection and retention
  • Train staff on medical privacy requirements

4. Government Systems Aren’t Immune

State-operated systems (Nevada, Washington, Ontario) experienced significant breaches. Government contracts don’t validate security.

Action Items:

  • Don’t assume government systems are secure
  • Advocate for security improvements in state programs
  • Maintain your own records independent of state systems
  • Plan for state system failures

5. Delayed Disclosure Compounds Damage

Multiple breaches involved delayed discovery or disclosure (MJ Freeway, Washington State, Dr. Ansay), extending the window for harm.

Action Items:

  • Implement monitoring and detection capabilities
  • Establish clear incident response procedures
  • Commit to transparent, timely disclosure
  • Notify affected parties promptly

The Cost of Inaction

The consequences of these breaches extend far beyond the immediate incidents:

For Customers and Patients:

  • Identity theft and fraud risk
  • Privacy violations
  • Potential discrimination based on cannabis use
  • Medical information exposure

For Businesses:

  • Regulatory fines and penalties
  • Legal liability and lawsuits
  • Reputational damage
  • Operational disruption
  • Lost customer trust

For the Industry:

  • Erosion of public confidence
  • Ammunition for legalization opponents
  • Increased regulatory scrutiny
  • Higher compliance costs

According to the National Cybersecurity Alliance, 60% of small businesses close within six months of a significant data breach. In the cannabis industry, where margins are often thin and regulatory scrutiny is high, that risk may be even greater.

Your Action Plan: 10 Steps to Avoid Becoming Case Study #11

Based on the lessons from these breaches, here’s your immediate action plan:

  • Audit your vendors - Identify every third party that handles customer, patient, or employee data. Assess their security practices.
  • Check your basics - Verify that all databases require authentication, all cloud storage is properly configured, and encryption is implemented comprehensively.
  • Segment your systems - Isolate POS systems, patient databases, and other sensitive systems from your general network.
  • Implement monitoring - Deploy tools to detect unusual access patterns or data exfiltration attempts.
  • Plan for incidents - Develop and test an incident response plan before you need it.
  • Train your team - Ensure all employees understand security risks and their role in preventing breaches.
  • Minimize data - Collect only what you need, retain only as long as required, and dispose of data securely.
  • Document everything - Maintain records of your security practices for regulatory compliance and legal protection.
  • Get insurance - Cyber insurance can help cover the costs of breach response and recovery.
  • Stay informed - Follow cannabis industry security news and threat intelligence to stay ahead of emerging risks.

CannaSecure Is Here to Help

These 10 breaches represent millions of exposed records and hundreds of millions of dollars in damages. But they also represent opportunities to learn—if you’re willing to take action.

CannaSecure Members get access to:

  • Complete incident response plan templates
  • Vendor security assessment questionnaires
  • Security policy templates customized for cannabis
  • Monthly threat intelligence briefings
  • State-by-state compliance requirements
  • Direct access to cannabis security experts

[Join CannaSecure Today →]

Don’t wait until you’re the next headline.

CannaSecure is dedicated to protecting the cannabis industry from cyber threats. Follow us for the latest security insights, compliance updates, and practical guidance for cannabis operators.

Sources:

  • Security Affairs, Bleeping Computer, The Record
  • MJBizDaily cannabis industry reporting
  • vpnMentor security research
  • Cybernews security research
  • CBC News, Globe and Mail (Canada)
  • Washington Times, Seattle Times
  • TechCrunch, PYMNTS
  • Cannabis Information Sharing & Analysis Organization (Cannabis ISAO)
  • State regulatory announcements