U.S. cannabis supplier Stiiizy says data breach impacted over 380,000 customers

Stiiizy, a leading cannabis products supplier in California, said that the data security incident it suffered last year compromised the sensitive personal information of 380,000 customers.

 

Founded in 2017, the Los Angeles-headquartered company sells premium cannabis products, including pod systems, flowers, vape products, cannabis extracts, and gummy edibles. 

 

In a data security incident notice published on its website, Stiiizy said that on November 20, a third-party vendor that the company used for point-of-sale processing services for some of its retail locations, suffered a data security incident that compromised the confidential data of its customers.

 

The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“An investigation conducted by the vendor revealed that personal information relating to certain STIIIZY customers processed by the vendor was acquired by the threat actors on or around October 10, 2024 - November 10, 2024. We have determined that certain of our customers’ personal information and documents was acquired by the threat actors,” Stiiizy said.

 

The compromised data included names, addresses, dates of birth, age, drivers’ license numbers, passport numbers, photographs, medical cannabis cards, information related to transactions with dispensaries, transaction histories, and more. Stiiizy’s filing with the Maine state regulator revealed that at least 380,000 individuals were impacted by the data security incident.

 

Stiiizy has, however, confirmed that customers who visited its outlets in Union Square, Mission Street, Alameda and Modesto were not impacted by the incident.

 

The company has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general. It has also offered complimentary identity protection and credit monitoring services through Cyberscout to all affected individuals.

 

In December, the Everest ransomware group claimed to have breached the internal network of STIIIZY and listed it as a victim on its data leak site. The group claimed to be in possession of 422,075 personal data records and gave a deadline till December 8 for the company to pay a ransom. It is unclear whether Stiiizy engaged with the ransomware group or paid a ransom to regain access to the stolen data records.