Personal Data of Cannabis Customers Leaked in Data Breach

A budtender (right) shows cannabis buds to a customer at the Green Pearl Organics dispensary on the first day of legal recreational marijuana sales in California, January 1, 2018 at the Green Pearl Organics marijuana dispensary in Desert Hot Springs, California. / AFP PHOTO / Robyn Beck (Photo credit should …
ROBYN BECK/AFP via Getty Images

A data breach in THSuite, a point-of-sale system for the cannabis industry, has exposed the personal data of over 30,000 individuals.

VPNMentor, the cybersecurity group that revealed the data breach of an adult entertainment network earlier this month, has uncovered a new data breach this time in the world of legal marijuana. Internet privacy researchers Noam Rotem and Ran Locar reportedly discovered a data breach in THSuite, a point-of-sale system used in the cannabis industry.

The VPNMentor team discovered an unsecured Amazon S3 bucket owned by THSuite which exposed the personal information of customers from marijuana dispensaries across the United States. The data included personally identifiable information such as scanned government documents, purchase histories, and employee IDs of over 30,000 individuals.

VPNMentor outlined the timeline of the discovery of the leak and the reaction of the owners, writing:

Sometimes the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.

Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and true.

In this case, we easily identified THSuite as the owner of the database and contacted the company with our findings.

  • Date discovered: December 24, 2019
  • Date owners contacted: December 26, 2019
  • Date Amazon AWS contacted: January 7, 2020
  • Date database closed: January 14, 2020

According to VPNMentor, 85,000 files were leaked in the breach which included 30,000 documents of personally identifiable information. In samples of the information examined by VPNMentor, the firm found information related to three marijuana dispensaries throughout the U.S. including: Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company.

Read the full report from VPNMentor here.

Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or email him at


Please let us know if you're having issues with commenting.