Data security continues to be a major issue for the cannabis industry, after a medical cannabis database in Nevada accidentally exposed the personal information of thousands of cannabis business applicants. The breach was caused by a bug that did not properly secure the eight-page documents filed for nearly 12,000 individuals.
Applicants were required to electronically submit their information, including full names, complete addresses and contact information, Social Security Numbers, citizenship status, race, gender, and a state-approved photo ID. That is more than enough information for an individual with malicious intent to cause some serious damage in the way of identify theft.
As of December 29th, online access to the database portal was completely revoked, and the unprotected web address was eliminated. Nevada state law requires the government to notify all applicants of the leak in the coming days. Early in December, the portal had been shutdown temporarily when technical staff noticed an issue. Access was re-established a week later. The database of business applicants contains only a portion of the data hosted by Nevada’s Medical Marijuana Program, which gathers patient information as well.
Data vulnerability has plagued many industries that inherently require the storage of sensitive information. The majority of US states have passed some sort of cannabis law, but so far no data security standards have been established. A number of consumer websites in the cannabis space have also come under fire for their lack of security after it was discovered that amateur computer programmers were able to access user information datasets.
Security researchers are confident that the data breach in Nevada was a technological accident, although that does not lessen the impact of exposing the sheer volume of personal records. Nevada voters recently approved the adult use of cannabis, which will require the Medical Marijuana Program to create a new database for recreational cannabis business applicants.