Personal records, including scans of ID cards and purchase details, for more than 30,000 people were exposed to the public internet from this unsecured cloud silo, we’re told. In addition to full names and pictures of customer ID cards, the 85,000 file collection is said to include email and mailing address, phone numbers, dates of birth, and the maximum amount of cannabis an individual is allowed to purchase. All available to download, unencrypted, if you knew where to look.
Because many US states have strict record-keeping requirements written into their marijuana legalization laws, dispensaries have to manage a certain amount of customer and inventory information. In the case of THSuite, those records were put into an S3 bucket that was left accessible to the open internet – including the Shodan.io search engine.
The bucket was taken offline last week after it was discovered on December 24, and its insecure configuration was reported to THSuite on December 26 and Amazon on January 7, according to vpnMentor. The S3 bucket’s data belonged to dispensaries in Maryland, Ohio, and Colorado, we’re told.