How to Vet Your Cannabis Tech Vendors (Before They Get You Breached)
The STIIIZY breach came through a POS vendor. MJ Freeway disrupted dispensaries across multiple states. Your security is only as strong as your weakest vendor.
The Vendor Problem
Here's an uncomfortable truth: you can have perfect internal security and still get breached through a vendor.
In late 2024, STIIIZY—one of California's largest cannabis brands—discovered that 420,000+ customer records had been stolen. The attackers didn't hack STIIIZY directly. They compromised a third-party point-of-sale vendor that had access to customer data.
Names. Addresses. Government IDs. Medical cannabis cards. Purchase histories. All exposed because someone else's security failed.
This isn't a new phenomenon. In 2017 and 2018, MJ Freeway—a major cannabis compliance software provider—suffered repeated breaches that disrupted dispensary operations across multiple states. Some operators couldn't process sales for days.
The pattern is clear: Cannabis businesses depend heavily on external vendors, and those vendors are now primary attack targets.
CannaSecure
Why Attackers Target Your Vendors
Think about it from an attacker's perspective:
Direct Attack:
- Target one dispensary
- Maybe get a few thousand customer records
- Have to repeat the process for every target
Vendor Attack:
- Target one software provider
- Get access to hundreds of dispensaries at once
- One breach, massive payoff
The economics favor attacking vendors. Everest (the ransomware group behind the STIIIZY breach) has built an entire business model around this—they function as "initial access brokers," selling access to vendor systems to other criminal groups.
Your Vendor Attack Surface
Before you can secure your vendor relationships, you need to understand what you're actually exposed to.
Map Your Vendors
Create a complete inventory of every third party that has access to:
Customer Data:
- Point-of-sale systems
- E-commerce platforms
- Loyalty program providers
- Delivery platforms
- Age verification services
- ID scanning solutions
- Customer relationship management (CRM)
- Email marketing platforms
Business Operations:
- Seed-to-sale/track-and-trace (METRC integrations)
- Inventory management
- Accounting software
- Payroll providers
- HR systems
Technology Infrastructure:
- Cloud hosting providers
- Managed IT services
- Security monitoring
- Backup providers
- Payment processors
Physical Access:
- Security guard services
- Alarm monitoring companies
- HVAC/maintenance contractors
- Cleaning services
Categorize by Risk
Not all vendors are equal. Categorize each by:
Tier 1 - Critical (Highest Risk):
- Direct access to customer PII
- Access to financial systems
- Integration with METRC/compliance systems
- Can impact your ability to operate
Tier 2 - Important (Medium Risk):
- Access to internal business data
- Physical access to facilities
- Supporting services with some data exposure
Tier 3 - Standard (Lower Risk):
- Limited data access
- Easily replaceable services
- Minimal operational impact if compromised
Your Tier 1 vendors need the most scrutiny. A breach of your POS system is catastrophic. A breach of your office supply vendor? Inconvenient, but manageable.
The Vendor Security Assessment
For every Tier 1 vendor—and ideally Tier 2 as well—you should conduct a security assessment before signing a contract and periodically thereafter.
CISO Marketplace
