Unsecured AWS S3 Bucket Found Leaking Data of Over 30K Cannabis Dispensary Customers

An unsecured Amazon S3 bucket owned by cannabis retailer THSuite was found leaking the data of more than 30,000 individuals. It was discovered by a vpnMentor research team during a large-scale web mapping project, exposed 85,000 files that included records with sensitive personally identifiable information (PII).

THSuite provides business process management software services to cannabis dispensary owners and operators in the U.S. The software platform helps simplify the compliance process for dispensary operators by automatically integrating collected data with each state's API traceability system.

Consequently, the platform accesses a great amount of private data, a lot of which was left exposed by an unsecured and unencrypted Amazon Simple Storage Service (S3) bucket owned by the retailer. The research team was able to access all files hosted on the database using a web browser.

After careful investigation, THSuite was notified two days after the discovery of the data breach. The report was forwarded to Amazon Web Services (AWS) on January 7 before the database was closed on January 14.

Information compromised

Out of the estimated 85,000 files that were leaked, over 30,000 were records with sensitive personally identifiable information (PII) that included scanned government and company IDs, medical/state ID numbers with expiration dates, and personal signatures. The exposed information also included dispensary inventory and sales information, employee names, and monthly sales reports.

So much information was exposed that it was deemed impossible to go through them all; random sampling was done on a handful of entries instead. The vpnMentor report added that the breach possibly affects all THSuite clients and customers. Three dispensaries from Maryland, Ohio, and Colorado were confirmed to be affected. No specific customer information was found for the last. However, not all compromised entries were examined in detail, so the data might exist.

Exposing protected health information (PHI) is a federal crime under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This raises serious privacy concerns for both medical marijuana patients and recreational marijuana users, as the exposed info could negatively affect their personal and professional lives.

Fixing a leaky database

Cloud technology allows organizations of all sizes to scale more quickly, streamline operations, and innovate products and services. Amazon Web Services, Microsoft Azure, and Google Cloud are all well-known and widely-used cloud computing resources.

Organizations can adopt the best practices below to strengthen an organization’s data security and prevent data breaches:

For enterprises:

  • Educate employees. All employees should know and understand the organization’s security policies and contingency plans. IT staff must familiarize themselves with cloud settings and permissions in order to maximize the platform and avoid misconfigurations.
  • Implement security measures. Establish processes for identifying threats and vulnerabilities, as well as a process for addressing them efficiently. All existing credentials and permissions must be properly distributed and limited.
  • Establish contingencies. Create an effective disaster recovery plan to minimize confusion in the event of a compromise. Enable multi-factor authentication to add an extra layer of security.

For individuals: 

  • Secure accounts. Use a combination of letters, numbers, and symbols to create strong passwords. Passwords should be regularly updated for all online accounts. Two-factor authentication should also be enabled when available.
  • Monitor accounts for unauthorized access. Report any irregularities to related authorities immediately.
  • Be aware. Knowing what cybercriminals do is the first step to avoid becoming a victim.

When it comes to cloud security, businesses should weigh their options to find a solution that addresses their needs. The best security solutions should be able to offer threat detection, network intrusion prevention, and security management.

Hybrid Cloud Security is favorable for hybrid environments that involve physical, virtual, and cloud workloads, and Trend Micro™ Deep Security™ for Cloud can proactively detect and prevent threats. 

Trend Micro Cloud Conformity is a cloud security and compliance posture management service that allows organizations to achieve real-time security for their cloud infrastructure. It provides automated security and compliance checks, full visibility and simplified reporting, and seamless workflow integration.

For those using AWS, Azure, and VMware systems, Trend Micro™ Deep Security™ as a Service secures servers without the need for installations. The solution allows the implementation of new upgrades without downtime and instantaneous connections to cloud and data center resources.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.