Cannabis users’ sensitive data leaked in “serious” breach

Internet privacy researchers at vpnMentor have discovered a data breach in point-of-sale software used in the cannabis industry

The team, led by Noam Rotem and Ran Locar, identified an unsecured data repository owned by THSuite, which contained sensitive data from numerous marijuana dispensaries across the United States.

Among the leaked data were names, addresses, government and employee IDs and further personally identifiable information.

THSuite offers software to cannabis dispensaries across the US. In order to comply with state laws, dispensaries have to collect a large amount of data from each individual transacting. 

The THSuite platform is used to manage all of this data, plugging into each state’s traceability system through an API, making the process quicker and easier.

Over 85,000 files were found to have been leaked in the data breach, 30,000 of which included sensitive, personally identifiable information. According to vpnMentor, the leak also included scanned government and company IDs. 


READ MORE: Millions of fingerprints leaked in latest high-profile data breach


In a blogpost detailing the report, vpnMentor said: “The leaked bucket contained so much data that it wasn’t possible for us to examine all the records individually.

“In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US.”

Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company were among the worst-hit companies, but the breach affected many more dispensaries. vpnMentor even goes so far as to say that it is possible for all THSuite clients and customers to have had their data leaked.

“As a result of this data breach, sensitive personal information was exposed for medical marijuana patients, and possibly for recreational marijuana users as well. This raises some serious privacy concerns.

“Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally.

Under HIPAA regulations, vpnMentor state that it is a federal crime in the US for a health service provider to expose personal information. Violations can result in fines of up to $50,000 for each leaked record.

There is still a stigma around cannabis use. Some workplaces even prohibit it entirely. vpnMentor fears that individuals using cannabis either recreationally or for medical purposes may face consequences at their place of work, or even at home.


vpnMentor has contacted THSuite. At the time of publication, they had not yet received a reply. 

Luke Conrad

Technology & Marketing Enthusiast

Why ABM is Key to Strengthening your Marketing Strategy

Erin Lanahan • 16th May 2024

Account-Based Marketing (ABM) is revolutionizing B2B marketing by targeting high-value accounts with personalized strategies. Unlike traditional methods, ABM focuses on specific companies, delivering tailored content that meets their unique needs. This approach not only boosts ROI but also strengthens customer relationships and drives long-term growth. By aligning marketing and sales efforts, ABM ensures a unified...

Overcoming the Obstacles to AI Adoption

Kit Cox • 02nd May 2024

The power of AI combined with suitable use cases and a robust implementation plan can help businesses to radically reduce the time spent on manual, repetitive tasks, and allow teams to prioritise value-added work. But in all the excitement, it’s evident that many businesses are held back by inertia, and a lack of understanding about...

Overcoming the Obstacles to AI Adoption

Kit Cox • 02nd May 2024

The power of AI combined with suitable use cases and a robust implementation plan can help businesses to radically reduce the time spent on manual, repetitive tasks, and allow teams to prioritise value-added work. But in all the excitement, it’s evident that many businesses are held back by inertia, and a lack of understanding about...

How Predictive AI is Helping the Energy Sector

Colin Gault head of product at POWWR • 29th April 2024

In the past year or so, we have seen the emergence of many new and exciting applications for predictive AI in the energy industry to better maintain and optimise energy assets. In fact, the advances in the technology have been nothing short of rapid. The challenge, though, has been in supplying the ‘right’ data to...

How Predictive AI is Helping the Energy Sector

Colin Gault head of product at POWWR • 29th April 2024

In the past year or so, we have seen the emergence of many new and exciting applications for predictive AI in the energy industry to better maintain and optimise energy assets. In fact, the advances in the technology have been nothing short of rapid. The challenge, though, has been in supplying the ‘right’ data to...

Cheltenham MSP is first official local cyber advisor

Neil Smith Managing Director of ReformIT • 23rd April 2024

ReformIT, a Managed IT Service and Security provider (MSP) based in the UK’s cyber-capital, Cheltenham, has become the first MSP in the local area to be accredited as both a Cyber Advisor and a Cyber Essentials Certification Body. The Cyber Advisor scheme was launched by the Government’s official National Cyber Security Centre (NCSC) and the...

How we’re modernising BT’s UK Portfolio Businesses

Faisal Mahomed • 23rd April 2024

Nowhere is the move to a digitised society more pronounced than the evolution from the traditional phone box to our innovative digital street units. Payphone usage has dropped massively since the late 1990s/2000s, with devices and smart phones replacing not only communication access, but the central community points that the payphones once stood for. Our...

How we’re modernising BT’s UK Portfolio Businesses

Faisal Mahomed • 23rd April 2024

Nowhere is the move to a digitised society more pronounced than the evolution from the traditional phone box to our innovative digital street units. Payphone usage has dropped massively since the late 1990s/2000s, with devices and smart phones replacing not only communication access, but the central community points that the payphones once stood for. Our...