Tens of thousands of cannabis users in the US have had their personal information leaked by a misconfigured cloud bucket, according to researchers.
Over 85,000 files including more than 30,000 records with sensitive personally identifiable information (PII) were exposed when software firm THSuite apparently left an Amazon Web Services (AWS) S3 bucket unsecured.
THSuite provides software that helps cannabis dispensaries collect the large volumes of sensitive user info they need to comply with state laws.
At least three clients were affected in the privacy snafu: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company.
Exposed PII included names, home and email addresses, dates of birth, phone numbers, medical ID numbers and much more, according to vpnMentor.
As such, the leak affected both medical cannabis users and those who bought the plant for recreational purposes.
“Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally,” the researchers argued.
“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual.”
The revelations may also harm recreational users, especially if their employer prohibits cannabis use, they continued. The database apparently included scanned copies of government and employee IDs.
From a cybercrime perspective, the data trove would also offer a potentially lucrative opportunity for hackers to craft convincing phishing emails, texts and calls, and launch follow-on identity fraud attempts.
The researchers found the exposed database via a simple scan on December 24 last year. After contacting its owners on December 26 the problem was finally mitigated on January 14 2020.
Cloud misconfigurations like this remain a major source of cyber-related risk for organizations around the world. VpnMentor alone has been able to find millions of user records leaked by the likes of cosmetic giant Yves Rocher, Best Western Hotels and Canadian telco Freedom Mobile.