The 10 Biggest Cannabis Data Breaches: Case Studies Every Dispensary Owner Must Know
Why These Breaches Matter to Your Business
The cannabis industry has a data breach problem. And it's getting worse.
Since legalization began spreading across states and countries, the industry has accumulated a troubling track record of exposing customer data, patient records, employee information, and business-critical systems. These aren't hypothetical threats—they're documented incidents that cost real businesses millions of dollars and exposed millions of people to identity theft, fraud, and privacy violations.
For medical dispensaries, the stakes are even higher. Patient health information carries HIPAA-level protection requirements, and the stigma still attached to cannabis use means exposure can have life-altering consequences for customers.
This article examines the 10 most significant data breaches in cannabis history, what went wrong, and—most importantly—what you can learn to protect your business.
Case Study #1: STIIIZY (2024)
The Breach at a Glance
| Detail | Information |
|---|---|
| Company | STIIIZY (Los Angeles-based cannabis retailer) |
| Date Discovered | November 20, 2024 |
| Attack Window | October 10 - November 10, 2024 |
| Records Exposed | 380,000 customers |
| Attack Vector | Point-of-sale vendor compromise |
| Threat Actor | Everest Ransomware Group |
What Happened
STIIIZY, one of California's largest cannabis operators, learned in late November 2024 that their point-of-sale processing vendor had been compromised by an organized cybercrime group. The attackers gained access to customer data for approximately one month before detection.
The breach affected four STIIIZY retail locations in California and exposed an extraordinarily comprehensive set of customer data.
Data Exposed
- Full names, addresses, and dates of birth
- Driver's license numbers
- Passport numbers
- Photographs from government IDs
- Signatures from government IDs
- Medical cannabis card details
- Complete transaction histories
This level of exposure is particularly devastating because it provides everything needed for sophisticated identity theft and fraud.
Key Lessons
Third-party risk is your risk. STIIIZY's own systems weren't directly breached—their vendor was. But from the customer's perspective, STIIIZY failed to protect their data. You are responsible for the security of every vendor that touches your customer information.
POS systems are prime targets. Point-of-sale systems process the most sensitive customer data and are consistently targeted by attackers. Segment these systems, monitor them closely, and hold vendors to strict security standards.
The Everest gang is targeting cannabis. Within one week of the STIIIZY disclosure, a second cannabis operator appeared on Everest's dark web victim blog—listed as a client of the first victim's vendor. This wasn't random—the cannabis industry is now explicitly on their target list.
CannaSecure
Case Study #2: Ohio Marijuana Card (2025)
The Breach at a Glance
| Detail | Information |
|---|---|
| Company | Ohio Medical Alliance LLC (Ohio Marijuana Card) |
| Date Discovered | July 2025 |
| Records Exposed | ~1 million patient files (323 GB) |
| Attack Vector | Unsecured database (no password, no encryption) |
| Threat Actor | None required—data was publicly accessible |
What Happened
In July 2025, cybersecurity researcher Jeremiah Fowler discovered an unsecured database belonging to Ohio Marijuana Card, an organization that helps individuals obtain physician-certified medical marijuana cards. The database was completely unprotected—no password, no encryption, no firewall.
The 323-gigabyte database sat exposed on the open internet, containing nearly one million patient files.
Data Exposed
- Full names and Social Security numbers
- Dates of birth and home addresses
- Driver's license images
- Medical intake forms
- Physician certifications
- Internal staff notes
- Offender release cards (for people reentering society after incarceration)
- 200,000+ email addresses of employees, business associates, and customers
Key Lessons
Basic security hygiene matters most. This wasn't a sophisticated attack—the database was simply left open. Password protection and encryption are baseline requirements, not optional extras.
Medical cannabis data requires healthcare-level security. When you're collecting medical intake forms and physician certifications, you're handling protected health information. The security standards of traditional healthcare should apply.
Vulnerable populations face amplified harm. The exposure of offender release cards shows how cannabis data breaches can disproportionately harm already vulnerable populations.
Case Study #3: THSuite (2020)
The Breach at a Glance
| Detail | Information |
|---|---|
| Company | THSuite (point-of-sale software for dispensaries) |
| Date Discovered | December 24, 2019 |
| Date Secured | January 14, 2020 |
| Records Exposed | 30,000+ individuals confirmed (likely more) |
| Attack Vector | Unsecured Amazon S3 bucket |
| Dispensaries Affected | Amedicanna Dispensary (MD), Bloom Medicinals (OH), Colorado Grow Company (CO), and potentially all THSuite clients |
What Happened
Security researchers from vpnMentor discovered an unsecured Amazon S3 bucket belonging to THSuite, a point-of-sale software company serving cannabis dispensaries. The bucket contained so much data that researchers couldn't examine all records individually.
THSuite never responded to the disclosure. The bucket was only secured after researchers contacted Amazon directly.
Data Exposed
Patient/Customer Information:
- Full names, phone numbers, dates of birth
- Medical ID numbers
- Scanned government-issued photo IDs
- Signatures
- Patient attestations acknowledging state cannabis laws
- Gram limits and purchase records
Business Information:
- Monthly sales reports and compliance reports
- Inventory lists with product names, descriptions, costs
- Employee payroll records and hours worked
- Sales breakdowns by payment method and product type
Key Lessons
Cloud misconfigurations are epidemic. Amazon S3 bucket misconfigurations are one of the most common causes of data breaches across all industries. If you use cloud storage, verify your security settings.
Vendor responsiveness matters. THSuite's failure to respond to the security disclosure is a red flag. When evaluating vendors, ask about their vulnerability disclosure process and incident response capabilities.
The exposure extends beyond customers. Employee payroll data, business financials, and operational details were all exposed—creating risks for everyone connected to the dispensaries.
Case Study #4: MJ Freeway (2016-2018)
The Breach at a Glance
| Detail | Information |
|---|---|
| Company | MJ Freeway (seed-to-sale tracking software) |
| Attack Window | November 2016 - 2018 (multiple incidents) |
| Dispensaries Affected | 1,000+ clients in 23 states |
| Attack Types | Data theft, system destruction, source code theft |
| State Contracts Affected | Pennsylvania, Washington, others |
