US marijuana dispensary STIIIZY warns customers of leaked IDs and passports following a November data breach.
US marijuana dispensary STIIIZY disclosed a data breach after a vendor’s point-of-sale system was compromised by cybercriminals. The security breach exposed customer data and IDs between October 10 and November 10, 2024.
After discovering the security breach, the company investigated the incident and notified law enforcement.
“On November 20, 2024, we were notified by a vendor of point-of-sale processing services for some of our retail locations that accounts with their organization had been compromised by an organized cybercrime group.” reads the notice of data breach published by the company on its website. “An investigation conducted by the vendor revealed that personal information relating to certain STIIIZY customers processed by the vendor was acquired by the threat actors on or around October 10, 2024 – November 10, 2024. We have determined that certain of our customers’ personal information and documents was acquired by the threat actors.”
According to the notice, the security breach compromised information contained on government-issued identification cards, including drivers’ licenses and medical cannabis cards, as well as information related to transactions with our dispensaries. The categories of information compromised include name, address, date of birth, age, drivers’ license number, passport number, photograph, the signatures appearing on a government ID card, medical cannabis cards, transaction histories, and other personal information. The exposed information varies for each individual case.
STIIIZY collaborates with the vendor and legal counsel to address the breach and confirm its cause. The company also filed documents with regulators in California warning impacted customers.
The data breach affected consumer profiles from these company locations: Union Square and Mission in San Francisco, Alameda, and Modesto, California.
STIIIZY is a popular cannabis brand and retailer based in California, known for its high-quality cannabis products and innovative vape technology. The company produces a range of products, including cannabis flower, pre-rolls, concentrates, and edibles.
The company operates retail dispensaries in multiple locations across California and is recognized for its sleek branding and focus on providing a premium experience for cannabis consumers.
The US marijuana dispensary did not disclose technical details about the attack, however, in November the Everest cybercrime group claimed responsibility for the attack. The group claimed the theft of hundreds of thousands of records from the company. It initially set the ransom deadline on December 8, but early this year it announced the leak of the stolen data, likely after a failed negotiation.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
