Industry Why cannabis buyers are uniquely vulnerable to cyber attacks Bruce Kennedy July 11, 2019 (Lightcome/iStock)

Experts in the field of cyber security say North America’s emerging cannabis industry—and its customers—could be especially vulnerable to hacks and extortion.

Cyber security experts say the legal cannabis sector offers a tempting target for online criminals.

Cities like Baltimore, as well as the state of Georgia’s court system, and Lake City, Florida, have been the recent targets of sophisticated ransomware infections, with attackers demanding payment to stop their disruption of crucial municipal data systems. Officials in Lake City, facing the potential loss of the entire city’s information systems, paid a $460,000 ransom. Baltimore refused to pay a $75,000 ransom and is now dealing with an $18 million cleanup job.

Cyber security experts say the legal cannabis sector offers a tempting target for online criminals.

“Any type of new business or new industry is definitely going to be vulnerable,” says Matthew Dunn, associate managing director of the cyber risk practice at Kroll, a corporate investigations and risk consulting firm based in New York.

“Bad guys always seem to be a step ahead of us when it comes to technology,” he tells Leafly. “Legitimate businesses and legislators are playing catch-up on how to go ahead and build defenses to combat those techniques that are being used against them.”

Everything online, everything vulnerable

Dunn is a former FBI Special Agent who during his 21 years with the Bureau worked a lot of different investigative programs, including drug trafficking, counter-terrorism and cyber intelligence. He says that as more cannabis businesses come online and use state cannabis tracking systems, accounting apps, and point-of-sale software, they also present themselves as targets for cyber criminals.

Dunn has written several articles on potential cyber threats against cannabis retailers. Cannabis dispensaries, he said, are starting to understand just how vulnerable their businesses might be to potential cyber attacks.

Recent cannabis attacks

That vulnerability isn’t merely theoretical. These are just a few of the break-ins made public over the past few years:

In Calgary, Alberta, hackers accessed the personal health records of a medical cannabis referral agency in late 2018.

In November 2018, hackers breached the privacy of 4,500 Ontario Cannabis Store customers through a weakness in Canada Post’s tracking website.

In 2017, the California cannabis delivery service Eaze confirmed that a former employee of a medical cannabis clinic broke into the patient database of both the clinic and Eaze.

Also in 2017, the cannabis tracking system MJ Freeway suffered two cybersecurity breaches within a period of six months.

In early 2018, Washington State’s cannabis traceability database was hacked; the intruder stole product transfer and manifest data.

Cyber extortion thrives on stigma

The cannabis industry is also vulnerable to some unique forms of cyber extortion.

“Let’s say bad guys are able to get a hold of a database of cannabis customers at some type of retail dispensary,” says Dunn. “Some of these customers may not want the public to know that they are utilizing cannabis, even if it’s legal. If they’re in the public limelight, if it’s something with their employment, whatever it may be.”

“Criminals know this, and if they can…utilize this information to try to extort money from them to keep their silence, then they’re going to do it,” he added. “It’s similar to the things we’ve seen in the past with ‘sextortion’ kinds of cases.”

The cost of a hack

Even without extortion, the cost of cybercrime can be tremendous.

Research done last year by IBM and the Ponemon Institute found that, on average, a data breach costs a business close to $4 million – with a nearly 30% likelihood that an affected business will experience another data breach within two years.

“You have to start thinking about replacement costs for hardware and software, potentially lost sales…about the lost hours when your network is down,” Dunn says. “Think about your brand or image once this information gets out to the public. Dispensaries have to be concerned with the same thing. If you are a customer, are you going to go to a dispensary that just recently had all its database exposed, or are you going to go to a different dispensary that maybe has a more mature security program?”

MJ Freeway’s experience

Case in point: MJ Freeway, one of the nation’s leading seed-to-sale software tracking firms, took a number of shots from hackers between 2016 and 2018. The company suffered a theft of client data in 2016, followed by another attack the following year. In early 2018 an electronic intruder stole transfer and manifest data from Washington State’s cannabis tracking system, which was provided by MJ Freeway.

Company founder Jessica Billingsley defended her company’s performance in a 2018 interview with Marijuana Business Daily. She said the attacks came as the company was moving customers from an older platform to a new, more stable and secure system. Billingsley pointed to “circumstantial evidence which points to a specific competitor” behind the attacks. No person or company has been publicly named in the attacks.

Since the attacks, MJ Freeway has rebounded and expanded into Pennslvania and Utah. Jeannette Ward Horton, the company’s vice president for global marketing and communications, told Leafly the past incidents resulted in a more robust company culture around security. “Due to the successful survival of the attack two years ago, we developed a culture of security that permeates throughout company, and we can proactively identify vulnerabilities that others cannot see, which allows us to better mitigate risk,” she said.

Earlier this year MJ Freeway merged with MTech Acquisition to form the company Akerna, which went public and is now trading on the NASDAQ exchange.

A cash-driven business

Dunn believes cyber attacks can be even especially devastating for legal cannabis companies, many of which are cash-driven and don’t have access to insurance, bank loans and the other safeguards that can keep a besieged mainstream business financially afloat during a crisis.

For a cannabis business, he says, “If you are suffering some compromise to your network, and if you have to spend a fair amount of money to go ahead to contain it and remediate it, there may not be enough revenue left for you to continue to operate that business.”

Three pillars of security

Many firms, according to Dunn, view cyber security as a purely IT problem. But they fail to realize that most cyber attacks are “end user-based,” meaning they go after individuals within a company. As a result, cannabis retailers need to educate their work force about what Dunn calls the Three Pillars of Cyber Security:

People: Training company staff to understand that they’re the first line of defense against cyber attacks. And cannabis businesses, Dunn says, “have got to educate their employees that they are being targeted every single day. You’ve got to educate them not to click on every link that comes in, or open attachments without absolutely confirming that it’s coming from a trusted individual.” And that includes executive-level staff.

Policies/Processes: One of the most common ways for cybercriminals to hack into a victim’s network is by stealing passwords and credentials.

“Until we go universally to something biometric in nature, like a fingerprint or a retinal scan, passwords are still the primary security measure that we have,” Dunn says. “So you’ve got to have a strong password/encryption policy.”

Cannabis businesses should also think about developing so-called acceptable use policies on company computers. Employees freely surfing the internet from a corporate network, Dunn said, can unknowingly download malware and other programs that can disrupt trade or compromise sensitive information.

Technology: Hardening a network from cyber attack via firewalls, anti-virus software, security updates for hardware, as well as monitoring malicious activity or policy violations, is a must, Dunn says.

A sign of maturity?

It’s a dubious milestone, the fact that cannabis businesses are now dealing with the same data vulnerability issues faced by their mainstream counterparts. But it also shows how large and lucrative the legal cannabis industry has become.

“All retailers are confronting the same type of risks that are out there,” says Dunn. “You’re all potential targets. That’s because the vast majority of our data today is kept electronically on our networks. As a cannabis retailer, you just have to build into that mindset, that you are being targeted every single day—because the bad guys can monetize so much of the information that’s on your network.”

Bruce Kennedy Bruce Kennedy is an award-winning reporter, editor, and producer based in Colorado. He has covered the legal cannabis industry since 2010. View Bruce Kennedy's articles