Popular Los Angeles-based cannabis brand Stiiizy has confirmed that hackers accessed reams of sensitive customer data, including government-issued documents and medical cannabis cards, during a November cyberattack. The company filed a data breach notice with California’s attorney general this week, stating that it was notified by its point-of-sale processing vendor about an "organized cybercrime group" that had compromised the data from some of its retail locations.
In a letter sent to affected customers, Stiiizy confirmed that hackers acquired customer data processed by the unnamed vendor between October 10 and November 10, 2024. The stolen information included personal details such as driver’s licenses, passports, medical cannabis cards, names, addresses, dates of birth, transaction data, and other unspecified sensitive information.
Stiiizy operates 39 stores across the United States and has not yet revealed the exact number of affected customers but mentioned that the incident impacted four of its retail locations in California. The company did not respond to TechCrunch’s questions about the breach, leaving the door open for further investigation into how such a massive data leak occurred.
The situation raised alarms among cybersecurity experts, as Stiiizy has not yet described the nature of the incident or provided details about the encryption methods used to protect customer data. However, Texas-based cybersecurity startup Halcyon AI reported in an 11 November blog post that Stiiizy had been targeted by a ransomware attack.
According to Halcyon AI, the cannabis operator was among the victims of the Everest ransomware group, which claimed credit for the cyberattack on Stiiizy’s systems. The group stated that it had stolen personal information, including identification documents, from over 420,000 customers before demanding a hefty ransom.
In a post shared on its dark web leak site—available to TechCrunch—the Everest group revealed its intention to publish the stolen data after Stiiizy reportedly ignored its demands for a ransom. This development underscores the growing complexity of cyber threats in the cannabis industry and the urgent need for businesses like Stiiizy to implement robust security measures to protect customer data.
The incident has sent shockwaves through the industry, with many questioning how such a massive data breach could have occurred despite the company’s efforts to secure its systems. Stiiizy’s failure to promptly notify customers and address the breach highlights vulnerabilities in its point-of-sale processing vendor, which may have been exploited by the hackers.
In response to the data breach, Halcyon AI emphasized the importance of securing customer data against future threats. "Stiiizy has not yet described the nature of the incident or provided details about the encryption methods used," Halcyon AI stated in its blog post. "This lack of transparency raises serious concerns about the effectiveness of their security measures."
The situation is further complicated by the involvement of a well-known dark web group, Everest ransomware, which has gainedNotoriety for its targeted attacks on businesses across various industries. The group’s claim to have stolen sensitive data from Stiiizy adds another layer of complexity to the incident, as it suggests that the hackers may have been part of an organized effort to compromise multiple targets.
Stiiizy’s reliance on third-party vendors for processing transactions has always been a point of contention within the industry. The company has previously faced scrutiny over its use of these vendors, which are often located in countries with weaker cyber regulations. This reliance on external systems leaves Stiiizy exposed to potential breaches unless it takes proactive steps to mitigate risks internally.
The data breach also raises questions about how Stiiizy’s customers were notified and if they received adequate warnings about the incident. The company’s failure to promptly communicate the breach to its customers has led to widespread panic, as many individuals may have already lost their sensitive information.
In light of the growing evidence of a significant data breach, it is imperative for Stiiizy to take immediate steps to address the issue and prevent further damage. The company should work closely with cybersecurity experts to identify the root cause of the incident and implement measures to safeguard customer data in the future.
The situation also underscores the importance of encryption technologies and secure communication channels in protecting sensitive information from unauthorized access. As cyber threats continue to evolve, businesses must remain vigilant and adopt proactive strategies to ensure the security of their operations.
For now, Stiiizy’s customers are left wondering how such a massive data breach could have occurred despite the company’s efforts to protect its systems. The incident serves as a stark reminder of the vulnerabilities that exist in many industries and the urgent need for improved cybersecurity measures. As the investigation continues, it will be crucial to determine whether Stiiizy took sufficient steps to prevent future breaches or if it remains vulnerable to similar attacks in the coming months.
In conclusion, the data breach at Stiiizy is a significant event that has put the company’s security infrastructure under intense scrutiny. The involvement of an organized ransomware group and the lack of transparency from the company further complicate the situation, making it imperative for Stiiizy to address the issue head-on and implement robust measures to protect its customers’ sensitive information.
