A prominent US cannabis retailer, STIIIZY, has disclosed a data breach that exposed sensitive customer information, including government-issued identification documents, between October 10 and November 10, 2024.
The breach occurred through a compromised vendor's point-of-sale system, affecting multiple STIIIZY retail locations in California. The company learned about the incident on November 20, 2024, when their vendor reported the system had been targeted by an organized cybercrime group.
Exposed customer data includes:
- Names and addresses
- Dates of birth
- Driver's license numbers
- Passport numbers
- Photographs
- Signatures from ID cards
- Medical cannabis card information
- Transaction histories
The breach impacted customer profiles at four California locations: Union Square and Mission in San Francisco, Alameda, and Modesto.
Upon discovering the breach, STIIIZY initiated an investigation and contacted law enforcement. The company is working with the affected vendor and legal counsel to address the situation and determine the root cause.
The Everest cybercrime group has claimed responsibility for the attack, stating they obtained hundreds of thousands of records. After an apparent failed negotiation with a December 8 ransom deadline, the group reportedly leaked the stolen data in early 2024.
STIIIZY, known for its premium cannabis products and innovative vape technology, has filed documents with California regulators and is in the process of notifying affected customers about the data exposure.