Stiiizy, a Los Angeles-based cannabis operator, revealed this week that a cybercrime group gained access to sensitive customer information due to a security breach at its point-of-sale vendor between October 10 and November 10, 2024. The breach affected retail customers at four Stiiizy locations in California: Stiiizy Alameda, Stiiizy Mission, Stiiizy Modesto, and Stiiizy Union Square. Exposed customer data included details from government-issued ID cards, such as names, addresses, dates of birth, and signatures. Although not all customers were affected, some transaction data was also compromised.
The company confirmed that retail transaction data was also part of the breach, but not all of it involved personally identifiable information. In response to the breach, Stiiizy has taken steps to protect its customers, offering free credit monitoring for 12 months through TransUnion for those affected by the incident. The breach was linked to a larger concern raised by the Cannabis Information Sharing & Analysis Organization (CIS), which had warned cannabis operators of growing threats from the Everest Ransomware group, a notorious cybercrime syndicate.
Ben Taylor, the executive director of CIS, had alerted cannabis operators in late November 2024 about the growing threat from ransomware groups targeting the marijuana industry. This breach at Stiiizy is part of a wider trend where cybercrime groups are increasingly targeting the cannabis sector, an industry that remains vulnerable due to its relatively new entry into the regulatory and digital security frameworks. Despite the challenges, the cannabis sector is attempting to bolster its cybersecurity to combat these attacks and safeguard customer data.
Stiiizy, known for its marijuana vape products, operates 10 cultivation sites, five manufacturing locations, 35 retail stores, and seven distribution sites. The company is also in the process of expanding its footprint with plans to open 17 additional retail locations across California. This incident highlights the need for increased cybersecurity in the cannabis industry, where operators are faced with heightened risks from sophisticated cybercriminal groups.
Reference:
