Growing Cybersecurity Risks in the Cannabis Industry
In November of 2024, STIIIZY suffered a data breach that exposed the personal information of approximately 380,000 customers. The breach, attributed to the Everest cybercrime group, affected multiple locations and was traced to a compromise within one of the company’s point-of-sale processing vendors. Aside from the additional data cannabis retailers are required to collect, this attack and its impacted data (names, addresses, dates of birth, driver’s license numbers, passport numbers, photographs, signatures from government-issued IDs, medical cannabis card details, and transaction histories) was not necessarily unique in retailer data breaches. But, within the cannabis industry, the incident underscored not only the vulnerabilities within STIIIZY’s particular digital infrastructure but also the broader risks facing the cannabis industry.
The cannabis industry, despite its rapid expansion, remains particularly vulnerable to cyberattacks due to a combination of regulatory burdens, fragmented financial infrastructure, and limited access to mainstream banking services. One of the major challenges cannabis retailers face is securing financial transactions. A popular method has been the use of “cashless ATMs,” which disguise cannabis purchases as ATM withdrawals. While this workaround has enabled cannabis businesses to operate within the constraints of the financial system, it has also led to increased scrutiny from regulators and financial institutions.
This scrutiny and concern limits vendors willing to take the risks to process financial transactions associated with cannabis. Those that do take risks may not have the developed, tried, and tested cybersecurity protections of other financial transaction processing vendors. With payment processing already a fragile part of cannabis retail operations, a breach involving a point-of-sale provider, such as in the case of STIIIZY, exposes not just customer data but also systemic vulnerabilities in how the industry handles financial transactions and may potentially make the processing of such transactions even more difficult in the future.
Third-party vendors in cannabis retail are not limited to financial transactions. Because of the numerous, complicated, and fragmented regulations facing cannabis retailers across different jurisdictions, third-party vendors are critical to satisfying all the necessary requirements at a competitive price. They, for instance, operate external platforms for compliance tracking, seed-to-sale inventory management, and customer databases …