More than 30,000 cannabis users had sensitive personal information exposed online by a company that makes software used by weed dispensaries. The information included scans of their driver's licenses as well as the type and quantity of weed purchased.
A team of internet privacy researchers at vpnMentor, the world's largest VPN review site, first discovered that the information was left exposed to the internet on December 24 after coming across an unencrypted Amazon S3 bucket owned by THSuite, the company that makes the software. The research team reached out to the company, which finally removed the exposed database last week.
THSuite is used by cannabis dispensaries across the country to help ensure compliance with state laws. It allows both the dispensary and state authorities to track every aspect of the business. The role that THSuite plays in ensuring cannabis industry compliance means access to significant amounts of sensitive data. vpnMentor reports that more than 85,000 files containing personally identifiable information were leaked.
At least 30,000 records contained personally identifiable information, including: patient medical history, photographs of scanned government and employee IDs, full name, phone number, email address, date of birth, street address, medical ID number, signatures, cannabis strain and the quantity purchased, employee names and work schedule, and more.
vpnMentor identified records belonging to at least three cannabis dispensaries: AmediCanna Dispensary, located in Maryland; Bloom Medicinals, located throughout Ohio; Colorado Grow Company, a recreational dispensary. These are just some of the dispensaries that were impacted by the leak, but vpnMentor's report warns that it is possible that every THSuite client and customer was affected.
THSuite did not respond to a request for comment.