THSuite data leak exposes cannabis users information

Experts found online an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries.

Data leak continues to be a frequent issue suffered by companies, news of the day is the discovery of an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries across the United States.

The archive was stored in an unsecured S3 bucket, it was discovered by researchers from VPNMentor and impacted 30,000 people. 

The use of marijuana for medical purposes is legal in some US states and THSuite offers business process management software services to cannabis dispensary owners and operators.

The dispensaries collect large quantities of sensitive information in order to comply with state laws. THSuite solutions simplify this process and implement an effective traceability system by collecting many customers’ private data.

“Over 85,000 files were leaked in this data breach, including over 30,000 records with sensitive PII. The leak also included scanned government and company IDs stored in an Amazon S3 bucket through the Amazon Simple Storage Service.” reads the analysis published by VPNmentor.

“In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US: Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company. Examples of these entries can be found below.”

Experts pointed out that the data leak might have affected many more dispensaries, likely all THSuite clients and their customers were impacted.

Exposed records include full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts.

The database also included details about Amedicanna’s inventory and sales, experts found the list of transactions containing the following data:

Patient name and medical ID numberEmployee nameCannabis variety purchasedQuantity of cannabis purchasedTotal transaction costDate received, along with an internal receipt IDThe leaked data also included scanned government and employee IDs.

The exposure for medical marijuana patients, and possibly for recreational marijuana users as well could have serious consequences for the privacy of impacted individuals.

Patients may face negative consequences, both personally and professionally.

“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual. HIPAA violations can result in fines of up to $50,000 for every exposed record, or even in jail time.” concludes VPNmentor.

Below the timeline for the THSuite data leak:

Date discovered: December 24, 2019Date owners contacted: December 26, 2019Date Amazon AWS contacted: January 7, 2020Date database closed: January 14, 2020

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – THsuite, data leak)

The post THSuite data leak exposes cannabis users information appeared first on Security Affairs.