Pot dispensary IT director asks for help after tracking system software was hacked

After MJ Freeway, a cloud-based medical marijuana patient, inventory and sales-tracking system was hacked, an IT director at a pot dispensary asked for help as to what he should do after the breach.

cannabis weed marijuana (public domain)
Credit: Chuck Herrera

Of course, in the digital world, anyone can claim to be anyone. Yet a person claiming to be the IT director of a medical marijuana dispensary took to Slashdot in hopes of receiving legal advice after the point of sale system the MMJ used was hacked.

Denver-based MJ Freeway, a medical marijuana “seed-to-sale” tracking software company experienced a “service interruption” – that turned out to be a hack – a week ago on January 8. The hack of the point-of-sale system left more than 1,000 retail cannabis clients unable to track sales and inventories. Without a way to keep records in order to comply with state regulations, some dispensaries shut down, while others reverted to tracking sales via pen and paper.

medical marijuana point of sale system MJ Freeway hacked MJ Freeway

From the beginning, MJ Freeway has maintained that no client/patient pot dispensary data was stolen. Yet the alleged IT director of such a dispensary wrote:

This system was built on Drupal in 2010. I'm guessing the more they modified the Drupal core, the more bug-fixed versions behind they fell behind (not to mention the rest of the LAMP stack). They've lost all customer data, meaning there was no air-gapped, off the net backups. What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot" potentially floating out there on the net. I guess because we're “Medicinal” it's no better than someone knowing a person takes Xanax for their nerves.

I feel like this company is playing on the ignorance of the general public when it comes to these types of IT security issues. I don't think people get how serious this is. What should I do?

MJ Freeway told Marijuana Business Daily that the attack was on its infrastructure – main databases and backups, “but no client data was stolen.” Later, the company said it might “take two or three weeks to fully restore service to dispensaries and recreational marijuana stores.” Again, the point was reiterated that a cyberattack crashed the system, but there was currently no evidence that any “medical cannabis patient data or business data was decrypted or compromised.”

Jeannette Ward, director of data and marketing for MJ Freeway, said, “The attack was aimed at corrupting, not extracting, data. What that means is all client-patient data is still protected, still safe, still encrypted and was not viewed by the attackers.”

Nevertheless, the Slashdot submitter is not the only one concerned, despite MJ Freeway having tweeted more than once that patient data was encrypted and not compromised. At what point does repeated reassurances of good security start to cause unease?

MJ Freeway encryption security hacking tweets MJ Freeway

As the throwaway account suggested, was the company running Drupal 6, which was released in 2008 and had an end-of-life announcement issued in June 2014 – and even extended support ends next month? Is that taking security seriously? The company claims that it now has better security, saying, “Due to the level of security protocols now in place…”.

Were there no offline backups, or were there “multiple redundant backups” from different sources which take a long time to restore? Is the company sure the attackers didn’t get hold of the encryption keys, steal the encrypted data and leave behind corrupted databases? If it was exfiltrated, then even if attackers didn’t read the sensitive data, isn’t that still a breach? What should the alleged pot dispensary IT director do?

There are many questions, so on Saturday, MJ Freeway CEO and co-founder Amy Poinsett released a statement via video.

“On Sunday morning, hackers took down both MJ Freeway’s production and backup servers, causing an outage for all our clients.” She apologized before adding, “Keeping our clients’ data secure has always been a top priority. Current analysis shows the attackers did not extract any client or patient data and did not view any patient data thanks to encryption measures we had in place.”

Why does it seem like every company that gets hacked, often due to lax security, then tries to claim how important the security and privacy of its customers are to that company?

MJ Freeway is “channeling” its “outrage into action,” saying it had been working since Monday to connect hundreds of online clients to alternate MJ Freeway sites. It is apparently a time-consuming process as each requires a phone call that lasts until the client’s site is live. “We’re doing whatever it takes to get clients back on their feet and secure.”

Poinsett continued:

This outage is a unique situation caused by an unprecedented, malicious attack. The damage from the attack is extensive, but much is repairable. In response to this attack, all clients’ sites have been migrated to a new, more secure environment. It’s one of many measures we are taking to bolster our defenses.

Ward said MJ Freeway doesn’t understand the motivation for the attack, or who did the attacking, but it will “definitely pursue a criminal investigation.”

If you have any legal suggestions for the IT director asking for help on Slashdot, then please do pass them along.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10