The Growing Cybersecurity Risks in the Cannabis Industry

Those familiar with the industry know that cannabis retailers find themselves in a unique position compared to other product retailers. Cannabis retailers face significant regulatory hurdles to their operation—particularly in connection with payment processing. In addition, the relative youth of the marketplace means that the cannabis marketplace is only just beginning to consolidate into large and small players—placing increased pressure on retailers to make sure that they, their products, and their reputations remain clean and clear, or face backlash at a time when negative market attention could lead to business death. And, while all retailers increasingly look to third-party vendors to add expertise at a lower cost, the peculiar and occasionally legally grey area of cannabis can sometimes lead to only a small number of vendors willing to take the risks to assist cannabis retailers and the use of a small number of vendors across wide swaths of the industry. Into this environment stepped STIIIZY, one of California’s largest cannabis retailers, and their data breach from November of last year. This breach, and its ramifications, should be a cautionary tale for others in this space and a call for more cybersecurity precautions.

In November of 2024, STIIIZY suffered a data breach that exposed the personal information of approximately 380,000 customers. The breach, attributed to the Everest cybercrime group, affected multiple locations and was traced to a compromise within one of the company’s point-of-sale processing vendors. Aside from the additional data cannabis retailers are required to collect, this attack and its impacted data (names, addresses, dates of birth, driver’s license numbers, passport numbers, photographs, signatures from government-issued IDs, medical cannabis card details, and transaction histories) was not necessarily unique in retailer data breaches. But, within the cannabis industry, the incident underscored not only the vulnerabilities within STIIIZY’s particular digital infrastructure but also the broader risks facing the cannabis industry.

The cannabis industry, despite its rapid expansion, remains particularly vulnerable to cyberattacks due to a combination of regulatory burdens, fragmented financial infrastructure, and limited access to mainstream banking services. One of the major challenges cannabis retailers face is securing financial transactions. Due to federal restrictions in the United States, major credit card networks typically do not process cannabis-related transactions, forcing dispensaries to rely on alternative payment solutions. One popular method has been the use of “cashless ATMs,” which disguise cannabis purchases as ATM withdrawals. While this workaround has enabled cannabis businesses to operate within the constraints of the financial system, it has also led to increased scrutiny from regulators and financial institutions.

This scrutiny and concern has served to limit the vendors willing to take the risks to process financial transactions associated with cannabis. Those that do take the risks may not have the developed, tried, and tested cybersecurity protections of other financial transaction processing vendors. With payment processing already a fragile part of cannabis retail operations, a breach involving a point-of-sale provider, such as in the case of STIIIZY, exposes not just customer data but also systemic vulnerabilities in how the industry handles financial transactions and may potentially make the processing of such transactions even more difficult in the future.

Third-party vendors in cannabis retail are not limited to financial transactions. Because of the numerous, complicated, and fragmented regulations facing cannabis retailers across different jurisdictions, third-party vendors are critical to satisfying all of the necessary requirements at a competitive price. They, for instance, operate external platforms for compliance tracking, seed-to-sale inventory management, and customer databases creating multiple points of potential failure. And issues with these vendors are not new. For example, MJ Freeway, a provider of compliance software for cannabis businesses, experienced repeated breaches that disrupted operations for dispensaries across the United States. The software, which many states require for regulatory compliance, became a liability when attackers infiltrated its system and rendered it unusable. This incident demonstrated how a single breach at one third-party provider could ripple across the industry, affecting numerous businesses, in numerous states that depend on the service.

The STIIIZY breach also raises concerns about the implications of stolen personal information in the cannabis sector. Unlike other industries, where data breaches primarily result in financial fraud or identity theft, breaches in cannabis retail could have additional consequences due to the stigma and legal gray areas surrounding cannabis use. In some states, cannabis purchases are still considered legally questionable, and consumers may fear repercussions if their purchase history is exposed. Additionally, those who use medical cannabis for the treatment of sensitive conditions could face privacy violations that extend beyond financial harm. This risk is particularly alarming given that the STIIIZY breach included information such as medical cannabis card details, which could reveal protected health information.

One of the primary takeaways from the STIIIZY incident should be the necessity of stronger cybersecurity measures throughout the cannabis industry. Companies must evaluate the security practices of their third-party vendors and ensure they are adhering to industry standards for data protection. While many cannabis retailers have invested heavily in compliance-related technology, cybersecurity has often been an afterthought, largely because businesses have been focused on first navigating the complex legal landscape of the industry. However, as data breaches become more frequent, companies must proactively address these security risks to protect their customers and maintain trust.

To improve security, cannabis businesses should prioritize encrypting sensitive customer information both in transit and at rest. Encryption ensures that even if attackers gain access to data, they cannot easily use it. Regular security audits of both internal systems and third-party integrations can help identify vulnerabilities before they are exploited. Employee training is also essential; many breaches occur due to human error, such as falling for phishing scams or using weak passwords. Companies should implement strict access controls to limit the number of individuals who can access sensitive customer data and require multi-factor authentication for all login attempts.

Additionally, cannabis businesses should develop and maintain an incident response plan that allows them to quickly address security breaches when they occur. The ability to detect and respond to an attack in real time can significantly reduce the damage caused by a breach. In STIIIZY’s case, the breach persisted for a month before it was discovered, highlighting the need for improved monitoring and threat detection capabilities.

Government agencies and regulators also have a role to play in improving cybersecurity standards for the cannabis industry. Many states mandate strict reporting requirements for inventory tracking and compliance, yet they have not implemented similar requirements for data security. Creating cybersecurity guidelines tailored to the unique challenges of the cannabis sector would provide clearer expectations for businesses and help mitigate the risk of future breaches. Some states have started taking steps in this direction, but there remains a significant gap in enforcement and standardization.

Customers, too, should be aware of the risks associated with providing personal information to cannabis retailers. While most businesses take security seriously, data breaches and the need for ever-evolving cybersecurity protections will always remain. Consumers should use discretion when sharing information and take advantage of credit monitoring services if they are notified of a breach. They should also be mindful of phishing scams that may arise following a breach, as cybercriminals often exploit exposed data to conduct further fraudulent activities.

The STIIIZY data breach is a wake-up call for the cannabis industry, emphasizing the need for stronger cybersecurity measures, better vendor oversight, and increased awareness of digital threats. As the industry continues to grow, so too will the sophistication of cyberattacks targeting it. Businesses must stay ahead of these threats by investing in cybersecurity infrastructure, training employees, and ensuring that third-party vendors are held to the highest security standards. With proper precautions, the cannabis industry can continue to thrive while safeguarding the personal information of its customers.

If you have questions about the content of this update, please contact Paul Schmeltzer (pschmeltzer@clarkhill.com; 323.497.4493), Jason Schwent (jschwent@clarkhill.com; 312.985.5939), or another member of Clark Hill’s Cybersecurity, Data Protection, and Privacy Group.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.