Experts found online an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries.

Data leak continues to be a frequent issue suffered by companies, news of the day is the discovery of an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries across the United States.

The archive was stored in an unsecured S3 bucket, it was discovered by researchers from VPNMentor and impacted 30,000 people.

The use of marijuana for medical purposes is legal in some US states and THSuite offers business process management software services to cannabis dispensary owners and operators.

The dispensaries collect large quantities of sensitive information in order to comply with state laws. THSuite solutions simplify this process and implement an effective traceability system by collecting many customers’ private data.

“Over 85,000 files were leaked in this data breach, including over 30,000 records with sensitive PII. The leak also included scanned government and company IDs stored in an Amazon S3 bucket through the Amazon Simple Storage Service.” reads the analysis published by VPNmentor.

“In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US: Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company. Examples of these entries can be found below.”

Experts pointed out that the data leak might have affected many more dispensaries, likely all THSuite clients and their customers were impacted.

Exposed records include full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts.

The database also included details about Amedicanna’s inventory and sales, experts found the list of transactions containing the following data:

Patient name and medical ID number

Employee name

Cannabis variety purchased

Quantity of cannabis purchased

Total transaction cost

Date received, along with an internal receipt ID

The leaked data also included scanned government and employee IDs.

The exposure for medical marijuana patients, and possibly for recreational marijuana users as well could have serious consequences for the privacy of impacted individuals.

Patients may face negative consequences , both personally and professionally.

“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual. HIPAA violations can result in fines of up to $50,000 for every exposed record, or even in jail time.” concludes VPNmentor.

Below the timeline for the THSuite data leak:

Date discovered : December 24, 2019

: December 24, 2019 Date owners contacted : December 26, 2019

: December 26, 2019 Date Amazon AWS contacted : January 7, 2020

: January 7, 2020 Date database closed: January 14, 2020

Pierluigi Paganini

(SecurityAffairs – THsuite, data leak)