Data leak continues to be a frequent issue suffered by companies, news of the day is the discovery of an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries across the United States.
The archive was stored in an unsecured S3 bucket, it was discovered by researchers from VPNMentor and impacted 30,000 people.
The use of marijuana for medical purposes is legal in some US states and THSuite offers business process management software services to cannabis dispensary owners and operators.
The dispensaries collect large quantities of sensitive information in order to comply with state laws. THSuite solutions simplify this process and implement an effective traceability system by collecting many customers’ private data.
“Over 85,000 files were leaked in this data breach, including over 30,000 records with sensitive PII. The leak also included scanned government and company IDs stored in an Amazon S3 bucket through the Amazon Simple Storage Service.” reads the analysis published by VPNmentor.
“In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US: Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company. Examples of these entries can be found below.”
Experts pointed out that the data leak might have affected many more dispensaries, likely all THSuite clients and their customers were impacted.
Exposed records include full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts.
The database also included details about Amedicanna’s inventory and sales, experts found the list of transactions containing the following data:
The leaked data also included scanned government and employee IDs.
The exposure for medical marijuana patients, and possibly for recreational marijuana users as well could have serious consequences for the privacy of impacted individuals.
Patients may face negative consequences, both personally and professionally.
“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual. HIPAA violations can result in fines of up to $50,000 for every exposed record, or even in jail time.” concludes VPNmentor.
Below the timeline for the THSuite data leak:
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – THsuite, data leak)
[adrotate banner=”5″]
[adrotate banner=”13″]
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
This website uses cookies.