Los Angeles-based cannabis operator Stiiizy has disclosed that a data breach in late 2024 compromised sensitive customer information. The breach stemmed from a security incident involving the company’s point-of-sale vendor and exposed a range of personal details.
Stiiizy, widely known for its vape products and significant retail presence, is now grappling with the fallout from this cyberattack.
What Data Was Compromised?
The breach, which occurred between October 10 and November 10, 2024, affected customers at four California retail locations:
- Stiiizy Alameda: 1528 Webster St., Alameda
- Stiiizy Mission: 3326 Mission St., San Francisco
- Stiiizy Modesto: 426 McHenry Ave., Modesto
- Stiiizy Union Square: 180 O’Farrell St., San Francisco
Personal data accessed during the breach included names, addresses, dates of birth, and even signatures from government-issued IDs. Additionally, details about retail transactions were also exposed. Stiiizy clarified that not all data was shared for every customer, but the breadth of the exposure remains concerning.
This breach is not isolated to Stiiizy’s internal systems but highlights a broader vulnerability in third-party service providers that cannabis operators rely on for point-of-sale transactions.
Cannabis Industry Under Cyber Threat
The cannabis sector has increasingly become a target for cybercrime. In late November, Ben Taylor, executive director of the Cannabis Information Sharing & Analysis Organization, raised alarms about the Everest Ransomware group. The criminal syndicate has been actively targeting marijuana businesses, exploiting the industry’s rapidly growing digital footprint and often fragmented cybersecurity measures.
Stiiizy’s breach adds to a growing list of cyberattacks within the cannabis industry, emphasizing the urgent need for robust data protection strategies. With sensitive customer information tied to government regulations and compliance requirements, breaches in this sector can have far-reaching consequences for both businesses and their patrons.
Stiiizy’s Response to the Breach
In response to the breach, Stiiizy has taken immediate steps to mitigate potential damage:
- Free Credit Monitoring: Impacted customers are being offered 12 months of free credit monitoring services through TransUnion. This proactive measure aims to help affected individuals monitor and manage potential misuse of their personal data.
- Ongoing Investigations: While Stiiizy works to address the breach, its public statement suggests efforts are underway to ensure similar incidents do not occur in the future. However, the company has not yet disclosed whether it has directly addressed the Everest Ransomware group’s activities.
A spokesperson for the company has not yet commented on the specifics of the breach, but Stiiizy stated that customers are encouraged to contact them directly for further details about the credit monitoring program or any additional assistance.
Stiiizy’s Growing Footprint in California
Despite the breach, Stiiizy continues to expand its footprint in the cannabis market. The company operates:
- 10 cultivation facilities
- 5 manufacturing sites
- 35 retail stores
- 7 distribution hubs
According to Stiiizy’s website, plans are already underway to open 17 additional retail locations in California. This aggressive expansion strategy reflects the company’s ambition to remain a major player in the state’s booming cannabis industry. However, incidents like this breach could pose challenges to customer trust and loyalty.
A Larger Concern for the Cannabis Industry
The Stiiizy breach is a wake-up call for the cannabis industry at large. As more operators digitize their operations and depend on third-party vendors, the need for comprehensive cybersecurity protocols becomes more pressing. Customers entrust these companies with sensitive information, including government-issued ID details, which makes the stakes particularly high.
Key takeaways for the cannabis sector include:
- The importance of vetting third-party service providers for security measures.
- Regularly updating and patching software vulnerabilities.
- Educating employees and customers on recognizing phishing attempts and other cyber threats.
As the industry grows, so too does its appeal to cybercriminals, making investments in digital security an unavoidable cost of doing business.