At least 30,000 customers across multiple U.S. cannabis dispensaries have been impacted by a data breach linked to point-of-sale software company THSuite, and Matthew Dunn, associate managing director in the Cyber Risk Practice of Kroll, says the news should get cannabis business owners thinking more critically about their cybersecurity measures.
The recent data breach was first discovered by internet privacy researchers at vpnMentor, according to a Mashable report. The exposed data was stored in a completely unsecured and unencrypted location owned by THSuite, the news outlet reported, and was first discovered on Dec. 24. vpnMentor’s researchers contacted the THSuite team, and the database was closed on Jan. 14.
More than 85,000 files were leaked in the data breach, including at least 30,000 records that contain personally identifiable information, Mashable reported. Full names, birthdates, phone numbers, email addresses, street addresses, patient names and medical ID numbers, and information about specific cannabis purchases were included in the records, as well as photographs of scanned government and employee IDs, according to the news outlet.
“Whether it’s retail or any other company that has its sensitive data compromised, we see cybercriminals utilizing that type of information to conduct additional types of cyber-related attacks, but also using that information for fraudulent financial transactions, identity theft or other types of criminal actions,” Dunn told Cannabis Dispensary.
The cannabis industry is still relatively new, with start-ups launching all the time, and cybersecurity strategies might not always be a priority for new businesses who are just getting up and running, Dunn added. Still, he said, there are responsibilities associated with storing and maintaining sensitive customer data, and businesses should not take that lightly.
“The bottom line is that a cannabis dispensary as a retailer is really no different from any other retailers as far as the threats that they would face, other than the fact that they are relatively a new industry, … which makes them a target that way,” Dunn said. “The commodity itself makes [cannabis businesses] an even higher threat risk, but they still need to employ the same practices that any retailer or cyber business should be engaging in at this time to protect themselves, as well as the information that they are entrusted with maintaining on their networks.”
Criminals may conduct cyberattacks that encrypt a company’s files, or they may launch denial-of-service attacks, which could render a company’s network unusable. These data breaches could cause significant damage to intellectual property and proprietary information, including outright theft of those assets.
“When you start looking at potential lost hours or business opportunities, especially if you’re an e-commerce business and people can’t access your website or your employees can’t access the database that they need to do your business, this could potentially be putting you out of business for a while, while you recover what’s been compromised,” Dunn said.
Therefore, cannabis businesses—like any other business—must take steps to implement cybersecurity strategies.
“The first thing I would suggest is you need to educate your work staff and provide them with some type of security awareness training to let them know that they are being targeted every day, so they’re a little bit more leery of every email that comes in that may look legitimate,” Dunn said.
Phishing emails have become extremely common, he said, and can entice employees to click on a link or open an attachment that contains malware, which could negatively impact a company’s network.
“They’ll conduct social engineering techniques. They’ll make phone calls. They’ll try to get you to give up your credentials, so they can log in to your network. They’ll make it look like it’s coming from a trusted employee,” Dunn said. “So, the education and the awareness are the primary things you can do to let people know they’re being targeted.”
Companies should also implement policies focused on cybersecurity, he added, such as requiring robust passwords, instituting multi-point verification systems and encrypting sensitive data.
“Passwords are still one of the primary ways we protect access to the network, as well as the data on there,” Dunn said. “Utilize multi-faceted authentication, so that you need to have two forms of authentication to get access to your network, your email or even to databases that have sensitive information in there. Utilize encryption to encrypt data that’s sensitive, so that even if it does get compromised, the criminals won’t be able to determine what that information contains, so it’s protected that way.”
Operating systems and other software should always be updated, as well.
“Companies will put out these patches, these upgrades, because they’ve identified vulnerabilities within those platforms,” Dunn said. “They know that cybercriminals are trying to take advantage of those vulnerabilities to compromise your networks, so make sure you’re exercising those patches when they come through to make sure you’re secure.”
State privacy statutes vary and may actually require companies that maintain sensitive data to implement reasonable security measure to protect that data, Dunn added. Business owners should work with legal counsel, insurance companies and cybersecurity consultants who are familiar with these regulations to develop a cybersecurity strategy and a plan of action in the event of a breach, he said.
Business owners should also perform regular self-assessments of their networks to better understand and remediate any vulnerabilities or gaps, Dunn added. They should also consider cyber liability insurance policies to provide protection in the event of a breach.
“The companies need to protect themselves, similar to what they would do for property insurance or for any type of physical theft,” Dunn said. “You need to be thinking about the data you contain in your network, as well, because you are being trusted to protect people’s personal information, whether it’s just their identity information, or it could be medical information that people would not want to see compromised and being posted over the internet or in dark web forms that are being traded between criminals operating in that area."