STIIIZY data breach exposes cannabis buyers’ IDs and purchases

Popular cannabis brand STIIIZY disclosed a data breach this week after hackers breached its point-of-sale (POS) vendor to steal customer information, including government IDs and purchase information.

STIIIZY is a a California-based cannabis brand known for its pod-based vaporizers and a variety of cannabis products, including flower, edibles, THC concentrates, and extracts. 

In a data breach notification published earlier this week, STIIIZY says it first suffered a data breach on November 20 when notified by its POS vendor.

"On November 20, 2024, we were notified by a vendor of point-of-sale processing services for some of our retail locations that accounts with their organization had been compromised by an organized cybercrime group," reads the data breach notification published to STIIIZY's site.

"An investigation conducted by the vendor revealed that personal information relating to certain STIIIZY customers processed by the vendor was acquired by the threat actors on or around October 10, 2024 - November 10, 2024."

As part of the breach, the threat actors stole a wide range of sensitive customer information, including driver's license information, passport numbers, photographs, and transaction histories.

"The incident impacted information contained on government-issued identification cards, including drivers' licenses and medical cannabis cards, as well as information related to transactions with our dispensaries," warns the company.

"The categories of information compromised include name, address, date of birth, age, drivers' license number, passport number, photograph, the signatures appearing on a government ID card, medical cannabis cards, transaction histories, and other personal information. Not all of this information was affected for each impacted individual."

STIIIZY says their investigation indicates that the breach only affected customers who made purchases at the following stores:

STIIIZY Union Square: 180 O'Farrell Street, San Francisco, CA STIIIZY Mission: 3326 Mission Street, San Francisco, CA STIIIZY Alameda: 1528 Webster St., Alameda, CA STIIIZY Modesto: 426 McHenry Ave., Modesto, CA

The company says they have implemented additional security measures to protect customer data and will offer free credit monitoring services to those impacted.

Due to the sensitive nature of the stolen data, impacted customers are also advised to monitor their credit history for fraudulent accounts opened under their name and to be on the lookout for targeted phishing attacks.

While STIIIZY has not shared any details on the vendor and how the data was stolen, a ransomware gang known as "Everest" claimed in November to have breached the company and stolen the personal data and IDs of 422,075 customers.

BleepingComputer contacted STIIIZY with further questions about the breach and will update this story if we hear back.

Everest ransomware claimed attack

The Everest gang also shared screenshots of the allegedly stolen data, which included scans of driver's licenses, customer profiles, medical marijuana cards, customer profiles, and company documents.

The Everest ransomware operation launched in 2020 and has had an interesting progression of malicious activity.

When first launched, the group primarily breached corporate networks to steal data and extort victims on its data leak site.

Over time, the threat actors introduced ransomware into their attacks to not only steal data but also encrypt the company's files in double-extortion attacks.

The threat actors are also known for acting as initial access brokers, selling access to corporate networks to other threat actors to perform their own attacks.

In August, the U.S. Department of Health and Human Services warned that the Everest ransomware gang was increasingly targeting the healthcare industry.