Call it Weedyleaks.
In a statement released yesterday (Dec. 28), the state said it was investigating a “cyber-attack” on its Medical Marijuana Program database that affected medical marijuana agent cards, disclosing the Social Security numbers and other identifiable information for employees and owners of medical cannabis establishments. No private medical marijuana patient information was reportedly disclosed.
“The entire portal has been taken down,” said division administrator Cody Phinney in a prepared statement. “To prevent further breaches, the Division’s IT staff are working with state IT staff, investigating the breach. We appreciate everyone’s patience during this difficult time. As more information is known, the public will be notified.”
Earlier Wednesday, a story published by ZD Net broke the news that more than 11,700 applications — which also contain an the applicant’s name, race, home address and citizenship — were exposed online. ZD Net editor Zack Whittaker reported that security researcher Justin Shafer discovered the flaw in the state’s website.
The applications that were accessible included personal information such as home addresses, height, weight and driver’s license numbers. Shafer said he believes that more than 11,700 applications were disclosed in the breach. It is unclear how long the information was available, whether anyone besides Shafer had access to it and how far back the information goes.
Links to online state portals for patients and marijuana businesses currently lead to a message apologizing that the system is temporarily down.
The incident has been referred to law enforcement agencies for further investigation