Since the Feb. 1 debut of Leaf Data Systems' tracking software in Washington state, licensed cultivators have reported glitches with the system and its capacity for inventory transfers. On Feb. 8, the Washington State Liquor and Cannabis Board confirmed that “the online marijuana traceability system was disrupted after a computer vulnerability was exploited on Saturday Feb. 3, 2018.”
According to a letter signed by WSLCB Deputy Director Peter Antolin, it’s likely that someone hacked into the system, made a copy of the Leaf Data Systems tracking database and absconded with the information, thus setting off the glitches.
The information accessed by the intruder included “route information of manifests filed between Feb. 1 and 4, 2018,” as well as “transporter vehicle information including VIN, license plate number and vehicle type. The database does not include driver or driver license information.” (Vehicle information is already listed as a public record in Washington.)
The state notified all growers earlier this week. According to the Washington State Office of CyberSecurity, no personally identifiable information (like names or social security numbers) was lifted in the Feb. 3 incident.
The issue was corrected by Monday, Feb. 5, Antolin wrote.
Leaf Data Systems is contracted out to MJ Freeway, which is working with the state to ensure that disruptions like this do not occur again.
Read the full letter to Washington cannabis cultivators below:
A Message to All Marijuana Licensees from Deputy Director Peter Antolin
Security Incident Played Role in Traceability System Rollout Disruption
February 8, 2018
Dear Licensees:
I am writing with an important message regarding the complications with this week’s transition to the new traceability system, Leaf Data Systems.
Intrusion of Traceability
A computer vulnerability was exploited on Saturday, allowing unauthorized access to the traceability system. There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users. We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.
As we’ve communicated already, that issue was corrected on Monday Feb. 5, 2018, and communicated to licensees. We recognize that there are other known issues within the system. There are workarounds for most. They will be fixed in subsequent releases.
The state’s vendor, MJ Freeway, became aware of the transfer abnormality on Saturday. The company immediately began a review and identified it as a potential security incident on Monday. MJ Freeway immediately notified the WSLCB. The WSLCB then contacted the Washington State Office of CyberSecurity, (OCS), which examined the data taken to determine if it contained personally identifiable information, PII.
No Personally Identifiable Information Released
The information captured by the intruder does not contain personally identifiable information, such as names and social security numbers. However, we wanted to make you aware of the incident.
The following information was accessed during the incident:
- Route information of manifests filed between Feb. 1 and 4, 2018.
- Transporter vehicle information including VIN, license plate number and vehicle type. The database does not include driver or driver license information.
With the exception of the manifest data all the information obtained via the intrusion is publicly available. The WSLCB already responds to requests for publicly available records per the state’s public records law.
Because there is no personally identifiable information, there is nothing that licensees need to do at this time. As a precaution, with the above in mind, please review your transport plans and take any appropriate steps you feel necessary for your business.
Current Status
The WSLCB and MJ Freeway continue to implement several strategies to prevent future vulnerabilities to future intrusions. This includes full logging and monitoring and working with third-party entities. Since this remains an active investigation, details on security are not publicly available.
Next Steps
The LCB is hosting a live webinar Friday at 10:00 a.m. that will include myself and leaders from our IT division, MJ Examiners unit, and enforcement. You may register here.
The bottom line is that this incident is unfortunate. There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system. Know, however, that we will continue to take necessary steps to protect all traceability information. This includes an ongoing review of the information we require in traceability and the implementing the best practices in security.
As always, continue checking your email for notifications and the WSLCB website for the latest information.
Sincerely,
Peter Antolin
WSLCB Deputy Director
Traceability Project Executive Sponsor
Top image courtesy of Adobe Stock