Data leak continues to be a frequent issue suffered by companies, news of the day is the discovery of an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries across the United States.
The archive was stored in an unsecured S3 bucket, it was discovered by researchers from VPNMentor and impacted 30,000 people.
The use of marijuana for medical purposes is legal in some US states and THSuite offers business process management software services to cannabis dispensary owners and operators.
The dispensaries collect large quantities of sensitive information in order to comply with state laws. THSuite solutions simplify this process and implement an effective
“Over 85,000 files were leaked in this data breach, including over 30,000 records with sensitive PII. The leak also included scanned government and company IDs stored in an Amazon S3 bucket through the Amazon Simple Storage Service.” reads the analysis published by VPNmentor.
“In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US: Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company. Examples of these entries can be found below.”
Experts pointed out that the data leak might have affected many more dispensaries, likely all THSuite clients and their customers were impacted.
Exposed records include full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts.
The database also included details about Amedicanna’s inventory and sales, experts found the list of transactions containing the following data:
The leaked data also included scanned government and employee IDs.
The exposure for medical marijuana patients, and
Patients may face negative
“Under HIPAA regulations, it’s a federal crime in the US for any health
Below the timeline for the THSuite data leak:
(SecurityAffairs – THsuite, data leak)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.