In November 2024, STIIIZY, a prominent California-based cannabis retailer, experienced a significant data breach that compromised the personal information of approximately 380,000 customers. The breach occurred between October 10 and November 10, 2024, when cybercriminals infiltrated a third-party point-of-sale (POS) vendor utilized by STIIIZY.
Scope of the Breach
The unauthorized access affected customer data from four STIIIZY retail locations: Union Square and Mission in San Francisco, Alameda, and Modesto. The compromised information included names, addresses, dates of birth, driver’s license numbers, passport numbers, photographs, signatures from government-issued IDs, medical cannabis card details, and transaction histories. Not all data fields were affected for every individual, but the breadth of information exposed raised significant concerns about potential identity theft and privacy violations.
Discovery and Response
STIIIZY was notified of the breach on November 20, 2024, by its POS vendor. Upon learning of the incident, the company initiated an internal investigation and engaged cybersecurity experts to assess the extent of the breach. STIIIZY also notified relevant regulatory bodies, including the California Attorney General’s office, and began sending out data breach notification letters to affected customers in early January 2025.
To mitigate the impact, STIIIZY offered 12 months of free credit monitoring services through TransUnion to those affected. The company also stated that it had implemented additional security measures to prevent future incidents, although specific details of these enhancements were not disclosed.
Perpetrators and Motive
The Everest ransomware group claimed responsibility for the attack, alleging that they had stolen over 422,000 customer records. The group reportedly set a ransom deadline of December 8, 2024, threatening to leak the stolen data if their demands were not met. It remains unclear whether STIIIZY paid the ransom; however, some of the compromised data was later published online, indicating that negotiations may have failed.
Everest is known for targeting various industries, including healthcare and retail, by exploiting vulnerabilities in third-party vendors. Their tactics often involve double extortion—encrypting data and threatening to release it publicly unless a ransom is paid.
Legal and Industry Implications
The breach has prompted legal scrutiny, with law firms like Levi & Korsinsky, LLP investigating the incident for potential class-action lawsuits. The firm’s investigation focuses on whether STIIIZY adequately protected customer data and complied with applicable data protection laws.
This incident underscores the vulnerabilities inherent in relying on third-party vendors for critical services like POS systems. It also highlights the importance of robust cybersecurity measures and vendor risk management, especially in industries handling sensitive customer information.
In Summary
The STIIIZY data breach serves as a stark reminder of the cybersecurity challenges facing the cannabis industry. As the sector continues to grow and handle increasing volumes of sensitive data, companies must prioritize comprehensive security strategies to protect their customers and maintain trust.