Ontario Cannabis Store Data Breach Demonstrates Growing Threat

I have worked in the cannabis industry to some degree for many years now. If you count the unregulated industry here in Oregon, I am the third generation of my family to be involved with cannabis.

If there is one thing that I know about the emerging cannabis industry it’s that cannabis and chaos seem to go hand-in-hand. Laws. Rules. Regulations. Juggling all of it while all of the parts are moving and shifting, all the while trying to be innovative and effective at running a business. There is a lot that cannabis entrepreneurs and their employees have to stay on top of and it can be like trying to drink water from a fire hydrant.

One area of the emerging cannabis industry that seems to often get lost in all of the chaos is information security, which is unfortunate. When people think of information security, they often think of computers and networks, and rightfully so. Computer networks often house a significant amount of sensitive information.

However, there is far more to information security than computers and networks. Companies and employees in the cannabis industry often house more sensitive information than people realize in both digital and physical forms, including personally identifiable information and proprietary information. All of that information is a target for someone.

Whereas network security can be easily outsourced to a reputable third party, the biggest threat to a cannabis company’s information security strategy has to be addressed on an ongoing basis in-house because that threat is the company’s own staff, either due to nefarious intent or negligence.

A cannabis company can have the most robust technical safeguards in place, with a small army of network security experts doing everything they can to keep something secure, and it only takes one person with privileged access to give up some or even all of the company’s sensitive information via less-than-sophisticated methods.

The latest example of the growing information security issue facing the emerging cannabis industry can be found in Canada where a suspected data breach is making headlines. Per Infotel:

The Ontario Cannabis Store says a data breach involving some of its sales information is being investigated by the Ontario Provincial Police.

Daffyd Roderick, a spokesperson for the Crown agency responsible for distributing cannabis from producers to pot shops in the province, confirmed what he called a misappropriation of data Tuesday evening.

“There was no failure of IT security or systems,” he added.

An OCS letter obtained by The Canadian Press and sent to retailers on May 10 said that “confidential store sales data” was being “circulated in the industry.”

“This data was not disclosed by the OCS, nor have we provided any permission or consent to distribute or use this data outside of our organization,” reads the letter signed by Janet Ihm, the OCS vice-president of wholesale partnerships and customer care.

“The data was misappropriated, disclosed, and distributed unlawfully. As a result, we trust you will refrain from sharing or using this stolen data in any way.”

As noted by authorities in the excerpt, the data breach did not come as a result of a failure of ‘IT security or systems,’ meaning, it wasn’t a direct hack into the system. Many details are still unknown, however, I would personally bet a decent chunk of change that the breach was due to non-sophisticated methods.

One of the most common ways that data breaches occur is through human error. Sometimes someone from the data source sends an email to an auto-populated wrong email address in error. Sometimes they click the wrong attachment when sending an email and the data is acquired that way, or they click ‘reply all’ when they shouldn’t have. Although, that doesn’t seem to be the case in Ontario where the ‘data was not disclosed by the OCS.’ I take that to include no direct disclosures even due to human error.

Perhaps the data was gained through some type of physical theft. When I read the word ‘misappropriated’ that is where my mind went based on the currently available information. All it would take is someone copying one or more files to a digital storage medium (disc, thumb drive, phone, etc.) containing the data in question, and simply walking off with it. Everyone has a phone in their pocket these days, and taking a picture of sensitive information is very easy to do.

Regardless of how the data was obtained in this latest case, the case itself serves as a reminder that the cannabis industry is a popular target. The industry has so much money flowing through it, it’s so competitive, and many in the industry seem to be unaware of the amount of sensitive information that they have at their fingertips. The problem will only continue to get worse.

Everyone in the cannabis industry needs to be mindful of information security threats, trends, and tactics. Companies need to train their staff, continue to educate members of their organization and create effective information security policies. One silver lining in all of this is that it creates many opportunities for ancillary companies that can help cannabis companies and organizations with their information security strategies.