MJ Freeway is a cannabis software company widely used for POS, inventory tracking, and data reporting by thousands of American dispensaries. On January 8th, service was disrupted nationwide in what the company is claiming to be a maliciously-designed attack.
Thousands of dispensaries lost access to their POS systems and all transaction histories. Service is slowly being restored on an individual client basis, though retailers do have access to a temporary POS terminal.
The incident has caused quite a stir in the nascent cannabis industry, as technology services once again reveal just how vulnerable they can be. Without their indispensable POS systems running, many retailers closed shop, affecting cannabis patients and purchasers in twenty-three states, according to MJ Freeway’s FaceBook page.
MJ Freeway’s disruption occurred on the heels of the state-run database in Nevada accidentally exposing thousands of business applications, including detailed personal information. Clearly, cannabis needs more professional developers if this industry wants to catch up to the standards set by other technological communities.
MJ Freeway claims that no personal information was at risk during the incident, although some data security experts are not convinced. Still, the very thought of exposing information about cannabis patients, whether its personal or generalized consumer trends, should be a reminder that technology is fragile, and we need to be very serious about security.
If the allegations of an attack are confirmed, MJ Freeway has stated they will pursue criminal charges.
Why Cannabis Reports is Qualified to Report
Cannabis Reports is a qualified source when it comes to cannabis technology. We constantly report on technology and the role it plays in creating a safe, reliable, and successful cannabis industry.
Our Open API supports thousand of developers and hundreds of applications by offering access to information on over 9000 strains and 19000 products. We never stop encouraging technologists to enter the cannabis space and create wonders for the people who love this wonderful plant.
Please note, many publications are calling this a “hack” with very little regard to what actually occurred on the technological side. There are many possibilities as to what caused this incident, and as a community, we should refer to that accordingly.
What We Know About the Incident
Sometime late Saturday January 7th, MJ Freeway went down. One of the ubiquitous softwares powering cannabis sales across the country became inaccessible at thousands of retail locations. MJ Freeway claims to have “nearly 50 percent” of market share, and the outage made a huge dent in national sales that continues while service is being restored.
Some dispensaries began taking orders by hand, others simply closed to avoid the nightmare of non-digital sales. Certain states actually have exclusive contracts with MJ Freeway that require retailers to rely on the software, making legal cannabis nearly inaccessible in those regions .
By Sunday January 8th, MJ Freeway’s Executive Director of Data and Marketing, Jeannette Ward, made a statement on the incident, then stating that users should expect access within 24 to 48 hours, by Monday or Tuesday the 9th and 10th of January.
On Monday January 9th, the company notified users that the outage duration could last between 72 hours to three weeks. Some clients reportedly got access to limited service today, although restoring historical transaction logs will take hundreds of development hours.
Currently, MJ Freeway’s site hosts an explanatory message emphasizing: “On Sunday, January 8th, [our] infrastructure was attacked,” and “NO client or patient data was extracted or viewed in the attack.”
The first MJ Freeway clients now have access to a temporary POS resource that allows them to conduct sales, but historical records, like sales history and trends, remain inaccessible.
Thankfully, MJ Freeway immediately understood the gravity of the situation and began work on a solution that could keep retailers open for business. The company reports that they have been working non-stop to resolve issues for all of their customers.
Damage Report: Community Response to the Incident
The community was quick to react, as thousands of patients and business operators were forced to endure the lengthy process of tracking retail with pen and paper (and in fact, certain states penalize the use of handwritten ledgers for cannabis sales). The result was long lines and slow transaction times, costing retailers anywhere between an estimated $1,000 and $10,000 per day, depending on whether the retailer shuttered their store completely.
One client who voiced their grievances online demanded a full refund for the inconvenience they continue to experience. Others were quick to jump into the conversation, offering both sympathy and disdain for MJ Freeway’s predicament. Competitors of MJ Freeway were quick to pounce on the opportunity, offering sign-up deals and promising a working POS solution within 24 hours of set-up time.
As the MJ Freeway team scrambled to resolve the outage, some clients began their own investigation into what possibly went wrong. One individual presented the possibility that the incident could have stemmed from the use of an outdated version of Drupal, a content management software used to created digital frameworks.
The individual also expressed their apprehension to accept that no user data was viewed or extracted, and asked the company to be transparent and release an incident report.
A different user on Reddit posted an in-depth assessment, based on their professional experience, as to what likely caused MJ Freeway to go down:
With such a large percentage of the market share for cannabis POS, the loss of MJ Freeway negatively impacts the entire cannabis industry, even if it is just for a few days or weeks. It is likely that several MJ Freeway clients will switch over to a competing software due to a loss of trust.
MJ Freeway will have to go above and beyond to restore their service, and retain the bulk of their customers. The outage will likely shift resources from the technological partnerships that MJ Freeway has announced with other cannabis businesses, like Weedmaps (search), Cannabase (wholesale exchange), and MassRoots (social media).
Resolution, Hopefully to Include Incident Report
MJ Freeway says their team is working around the clock to resolve the issue, restore service, and that already a handful of clients are able to operate on a temporary site.
Teams are working to get access to alternate sites ASAP. This process will require direct contact via phone. All hands on deck for outreach.
— MJ Freeway (@mjfreeway) January 9, 2017
MJ Freeway is currently employing a 3rd-party security review, although it is unclear if they will release an incident report.
This comes right on the heels of the Nevada incident, in which nearly 12,000 business applications were exposed. The proximity of these two incidents highlights the immediate need for serious technologists to enter an industry with so much personal data on the line.
(4/4) Due to our encryption & security measures in place, NO client or patient data was viewed or extracted during the attack.
— MJ Freeway (@mjfreeway) January 11, 2017
The company has remained adamant that no user data was ever available. According to MJ Freeway, this attack was malicious and brought down their infrastructure, but none of the data was visible due to strong encryption techniques.
“The attack was aimed at corrupting, not extracting, data… What that means is all client-patient data is still protected, still safe, still encrypted and was not viewed by the attackers.” Jeanette Ward, MJ Freeway’s Marketing and Data Director, during an interview with The Cannabist
MJ Freeway experienced a massive outage in November of 2014, when a technical issue brought down the system for their roughly 1,000 clients. That incident supposedly originated during a migration to an improved hosting service with the intention of improving site functionality. Many users left MJ Freeway after that incident, stating that the outage made their retail location appear unorganized and unprofessional.
The public perception of the cannabis industry is typically forgiving, especially considering the infancy of many of the foundational technologies used by retailers and brands. We hope to see service restored quickly, as the estimated financial losses per day are enough to permanently affect small businesses.
We also hope to see an incident report released so that the entire cannabis tech community can learn from this mishap and strengthen security. Whether it was a shady competitor, a disgruntled employee with inside access, or a breakdown of the technology itself, knowing the cause will help everyone prepare for the future.
Openness is essential for a stronger and better connected industry, and qualified developers are the key that will open the door.
The Longterm Solution: Cannabis Needs Developer
At the end of the day, cannabis needs technology, and it needs competent and driven developers to build it. There is a massive opportunity for technologists to create the tools so desperately needed in the cannabis space, and incidents like the MJ Freeway outage prove how impactful technology can be in a growing industry, for better or for worse.
Cannabis Reports supports hundreds of developers as they design applications for cannabis, from POS systems to chatbots, and everything in between. Our goal is to make the underlying technology ingredients available so that the master chefs of the software world have a full refrigerator while they cook up their ideas.