Marijuana dispensary STIIIZY warns of leaked IDs after November data breach

Avatar

A data breach in November exposed the IDs and passports of people who bought products from STIIIZY, a large marijuana dispensary in California. 

The company published a breach notice on its website and filed documents with regulators in California warning anyone who bought products from their stores in San Francisco, Alameda and Modesto that their data may have been impacted.

STIIIZY, which was founded in 2017 and sells a variety of cannabis-related products, did not respond to requests for comment about how many people were affected. But the notice on the company’s website says the breach exposed drivers’ license numbers, passport numbers, photographs, medical cannabis cards and other biographical information like names, ages and addresses. 

The attack also exposed transaction histories and other personal information, STIIIZY said. 

The company explained that they were notified on November 20 by a point-of-sale processing services vendor that some of their retail locations were compromised “by an organized cybercrime group.” 

“An investigation conducted by the vendor revealed that personal information relating to certain STIIIZY customers processed by the vendor was acquired by the threat actors on or around October 10, 2024 – November 10, 2024,” the company said. 

An investigation conducted by the company confirmed that customer information was leaked. Some customers are being offered free credit monitoring services for an undisclosed amount of time. 

The attack was claimed in November by the Everest cybercrime gang, which said it stole 422,075 personal records. It set a ransom deadline of December 8 and it is unclear if the company paid the undisclosed ransom. 

Ransomware expert Jon Miller, CEO of cybersecurity firm Halcyon, said Everest is known for simply extorting its victims rather than launching ransomware and encrypting victim files. 

“Their operations target organizations across various industries, including healthcare, government, and critical infrastructure, leveraging weak credentials, unpatched vulnerabilities, and phishing attacks to gain unauthorized access and move laterally within networks,” he said. 

“Everest is particularly skilled at avoiding detection by using encrypted communication channels and secure methods to obscure their activities.”

CybercrimeNewsNews BriefsPrivacy
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Russian nationals arrested by US, accused of running crypto mixers Blender and Sinbad

Next Post

DoJ Indicts Three Russians for Operating Crypto Mixers Used in Cybercrime Laundering

Related Posts

Irish Watchdog Imposes Record €310 Million Fine on LinkedIn for GDPR Violations

The Irish data protection watchdog on Thursday fined LinkedIn €310 million ($335 million) for violating the privacy of its users by conducting behavioral analyses of personal data for targeted advertising. "The inquiry examined LinkedIn's processing of personal data for the purposes of behavioral analysis and targeted advertising of users who have created LinkedIn profiles (members)," the Data
Avatar
Read More