Top cannabis brand Stiiizy says hackers got access to its systems

Los Angeles cannabis store Stiizy files new report with the California Attorney General
Report discusses a November 2024 cyber-incident, which researchers are saying it was a ransomware attack
Thousands of customers could be affected by the breach

Stiiizy, a popular Los Angeles-based cannabis company, confirmed suffering a cyberattack in late 2024 in which it lost plenty of sensitive customer information.

In a new filing with the California Office of the Attorney General, the company provided a breach notification letter being sent out to affected customers. In it, it said that a point-of-sale processing services vendor for some of its retail locations notified it about some of their accounts being compromised by an “organized cybercrime group.”

The cannabis dealer did not discuss the attackers, their identities, or their motives. However, citing cybersecurity researchers, TechCrunch reported a ransomware operator called Everest was behind this attack.

Names and photos

Stiiizy did not say how many people were affected by the incident, but it did say what data was taken: full names, postal addresses, birth dates, age, drivers’ license numbers, passport numbers, photos, signatures (as appearing on government ID cards), medical cannabis cards, transaction history, and more. That’s enough information for personalized phishing attacks, identity theft, and more.

The notification was sent on November 20, and a subsequent investigation uncovered that the breach occurred on October 10, and most likely lasted until November 10. The investigation also uncovered that four locations were targeted: two in San Francisco, one in Alameda, and one in Modesto.

Everest has allegedly claimed responsibility for this attack and stated that it affected more than 420,000 customers - although it’s perhaps worth mentioning the number “420” is often mentioned in the context of marijuana: April 20 is an unofficial marijuana holiday, as well. Everest also added it decided to leak the data after Stiiizy decided not to pay the ransom demands.

As of May 2024, Stiiizy operated 34 retail stores in California and three in Michigan, and its products are available in multiple US states, including California, Washington, Nevada, Michigan, Illinois, and Arizona.

Via TechCrunch

Dangerous new Android malware infects 11 million devices — here's what we know
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.