The Grove Cannabis Facility

Cybersecurity and Cannabis

Two database hacks hit marijuana businesses

The presidential election taught us yet again about the importance of cybersecurity, but it seems the cannabis community is kicking off 2017 with a few lessons as well. Over the past few weeks, hacks of state and national marijuana databases have caused major headaches for businesses, as well as a few minor ones for customers.

Firstly, in the closing days of 2016, Nevada’s Division of Public and Behavioral Health discovered that the database for the state’s medical marijuana program had been hacked. In a press release, the DPBH stated that information about employees and owners of medical marijuana businesses had been infiltrated, although they believe that patient information remains secure.  Regardless, the state took down the entire system to investigate the breach. At press time, the portal remained down; the incident was still under investigation and the state has no timetable on when the issues will be resolved.

“I have not seen any communication regarding when the system will be back up,” says Armen Yemenidjian, CEO of Las Vegas’ Essence Cannabis Dispensary. “Or, more importantly, the extent of the breach. Forget when we’re going to go back up: Whose data has been compromised? I hope and I believe that the state is doing this in an abundance of caution. That’s the smartest thing to do is to take everything off-line.”

In the meantime, dispensaries are doing things the old-fashioned way. “In order to stay in compliance, at the end of each day we’d generate reports and then send them to the designee that the state had given,” explains Mikel Alvarez of Blüm dispensary. “We generate a report through our POS system.” The lack of a computerized system has also required some extra paperwork from patients, as they are required to fill out affidavits stating that they have not bought more than the state-sanctioned 2.5 ounces every two weeks. “Some customers have gotten a little agitated—why do I have to do this?” says Yemenidjian.

The second, national hack came about two weeks later, as cannabis compliance system MJ Freeway was the victim of a malicious hack. “The attack was very focused on the corruption of our system and disabling of our system,” says Jeannette Ward, director of data and marketing at MJ Freeway. “It’s still an active investigation with a third-party IT firm and we’ll pursue potential criminal action, so we’re keeping the details reserved.”

MJ Freeway is one of a number of companies who provide seed-to-sale tracking for hundreds of marijuana grows, production facilities and dispensaries across the country. The company has been individually contacting clients to reboot their accounts. “We’re doing them individually so we can set up new passwords and new URLs for all of our customers. If we flip them all back online with the old passwords, it’s just not secure,” explains Ward, adding that, “we’re also setting them all up in a completely different server environment. Again, it’s about prioritizing security and stability moving forward.”

“I don’t think that the state’s inability to have proper protocol with respect to cybersecurity should reflect poorly on the ability of marijuana operators to run a highly compliant business,” Yemenidjian points out. And, despite the issues, cannabis advocates remain positive.

“I don’t think the hacks are a significant issue thus far. Any time you put stuff on the internet, you open up the possibility for data breaches,” says State Senator Tick Segerblom, adding that, “It does support the need to implement recreational marijuana as soon as possible since no names or personal information will be required to purchase adult use.”

Segerblom will be leading efforts to hammer out the details of adult recreational use during the upcoming legislature, which can’t come soon enough for some.  Alvarez says Blüm has been seeing “about 30” would-be rec customers per day. “Rather than hang a sign on the building, we let them come in and we explain it to them… It’s not that we don’t want to sell, it’s that we’re not allowed to sell.” Hopefully not for much longer.