Cannabis users’ sensitive data leaked in “serious” breach

Internet privacy researchers at vpnMentor have discovered a data breach in point-of-sale software used in the cannabis industry

The team, led by Noam Rotem and Ran Locar, identified an unsecured data repository owned by THSuite, which contained sensitive data from numerous marijuana dispensaries across the United States.

Among the leaked data were names, addresses, government and employee IDs and further personally identifiable information.

THSuite offers software to cannabis dispensaries across the US. In order to comply with state laws, dispensaries have to collect a large amount of data from each individual transacting. 

The THSuite platform is used to manage all of this data, plugging into each state’s traceability system through an API, making the process quicker and easier.

Over 85,000 files were found to have been leaked in the data breach, 30,000 of which included sensitive, personally identifiable information. According to vpnMentor, the leak also included scanned government and company IDs. 


READ MORE: Millions of fingerprints leaked in latest high-profile data breach


In a blogpost detailing the report, vpnMentor said: “The leaked bucket contained so much data that it wasn’t possible for us to examine all the records individually.

“In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US.”

Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company were among the worst-hit companies, but the breach affected many more dispensaries. vpnMentor even goes so far as to say that it is possible for all THSuite clients and customers to have had their data leaked.

“As a result of this data breach, sensitive personal information was exposed for medical marijuana patients, and possibly for recreational marijuana users as well. This raises some serious privacy concerns.

“Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally.

Under HIPAA regulations, vpnMentor state that it is a federal crime in the US for a health service provider to expose personal information. Violations can result in fines of up to $50,000 for each leaked record.

There is still a stigma around cannabis use. Some workplaces even prohibit it entirely. vpnMentor fears that individuals using cannabis either recreationally or for medical purposes may face consequences at their place of work, or even at home.


vpnMentor has contacted THSuite. At the time of publication, they had not yet received a reply. 

Luke Conrad

Technology & Marketing Enthusiast

Six ways to maintain compliance and remain secure

Patrick Spencer VP at Kiteworks • 16th September 2024

With approximately 3.4 billion malicious emails circulating daily, it is crucial for organisations to implement strong safeguards to protect against phishing and business email compromise (BEC) attacks. It is a problem that is not going to go away. In fact, email phishing scams continue to rise, with news of Screwfix customers being targeted breaking at...

Enriching the Edge-Cloud Continuum with eLxr

Jeff Reser • 12th September 2024

At the global Debian conference this summer, the eLxr Project was launched, delivering the first release of a Debian derivative that inherits the intelligent edge capabilities of Debian, with plans to expand these for a streamlined edge-to-cloud deployment approach. eLxr is an open source, enterprise-grade Linux distribution that addresses the unique challenges of near-edge networks...

Embracing digital AI recruitment without rocking the boat

Katherine Loranger • 11th September 2024

Artificial intelligence (AI) is set to become indispensable in business operations. For global enterprises, AI offers significant benefits by simplifying complexity and enabling confident decisions—when used in the right way. Those HR recruitment teams that seamlessly integrate AI technologies will optimise their recruitment practices and will have the opportunity to better realise their commitment to...

Why a data strategy underpins a successful AI strategy

Jim Liddle • 05th September 2024

AI and machine learning offer exciting innovation capabilities for businesses, from next-level predictive analytics to human-like conversational interfaces for functions such as customer service. But despite these tools’ undeniable potential many enterprises today are unprepared to fully leverage AI’s capabilities because they lack a prioritised data strategy. Bringing siloed and far-flung unstructured data repositories into...
The Digital Transformation Expo is coming to London on October 2-3. Register now!