Marijuana dispensary STIIIZY warns of leaked IDs after November data breach
A data breach in November exposed the IDs and passports of people who bought products from STIIIZY, a large marijuana dispensary in California.
The company published a breach notice on its website and filed documents with regulators in California warning anyone who bought products from their stores in San Francisco, Alameda and Modesto that their data may have been impacted.
STIIIZY, which was founded in 2017 and sells a variety of cannabis-related products, did not respond to requests for comment about how many people were affected. But the notice on the company’s website says the breach exposed drivers’ license numbers, passport numbers, photographs, medical cannabis cards and other biographical information like names, ages and addresses.
The attack also exposed transaction histories and other personal information, STIIIZY said.
The company explained that they were notified on November 20 by a point-of-sale processing services vendor that some of their retail locations were compromised “by an organized cybercrime group.”
“An investigation conducted by the vendor revealed that personal information relating to certain STIIIZY customers processed by the vendor was acquired by the threat actors on or around October 10, 2024 - November 10, 2024,” the company said.
An investigation conducted by the company confirmed that customer information was leaked. Some customers are being offered free credit monitoring services for an undisclosed amount of time.
The attack was claimed in November by the Everest cybercrime gang, which said it stole 422,075 personal records. It set a ransom deadline of December 8 and it is unclear if the company paid the undisclosed ransom.
Ransomware expert Jon Miller, CEO of cybersecurity firm Halcyon, said Everest is known for simply extorting its victims rather than launching ransomware and encrypting victim files.
“Their operations target organizations across various industries, including healthcare, government, and critical infrastructure, leveraging weak credentials, unpatched vulnerabilities, and phishing attacks to gain unauthorized access and move laterally within networks,” he said.
“Everest is particularly skilled at avoiding detection by using encrypted communication channels and secure methods to obscure their activities.”
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.