Why trust Greenbot
A cyber attack has exposed the private details of potentially 380,000 STIIIZY cannabis customers in California.
The stolen information includes driver’s licenses, medical cannabis cards, and records of what customers bought.
The company learned about the breach on November 20, 2024, when one of their vendors reported the unauthorized access. Hackers accessed customer information through STIIIZY’s payment system vendor between October 10 and November 10, 2024.
“On November 20, 2024, we were notified by a vendor of point-of-sale processing services for some of our retail locations that accounts with their organization had been compromised by an organized cybercrime group,” STIIIZY said in a data breach notice.
While STIIIZY has not confirmed the attacker’s identity, a hacker group called Everest took credit for the attack. The group uses double extortion tactics and is known to target critical sectors like healthcare. Everest reportedly posted samples of STIIZY’s data online and threatened a full leak unless STIIIZY paid the ransom.
The breach puts customers at risk of identity theft. STIIIZY is now offering one year of free credit monitoring through Cyberscout. Customers who think they might be affected can call STIIIZY’s helpline at 833-799-4284.
“STIIIZY values your privacy and deeply regrets that this incident occurred. STIIIZY has implemented additional security measures designed to prevent a recurrence of such an attack and to protect the privacy of STIIIZY’s valued customers,” the company stated.
The company operates 39 stores across the United States and serves millions of customers annually. It was founded in 2017 and made its name selling cannabis vaping products, flowers, and edibles.
The breach affected four STIIIZY stores. Specifically, there are two locations in San Francisco (Union Square and Mission), one in Alameda, and Authentic 209 in Modesto. Anyone who shopped at these stores during October and November should watch their credit reports for suspicious activity.
This incident highlights growing security challenges in the cannabis industry. Cannabis businesses must collect sensitive customer data to comply with state regulations. Industry analysts also note that cannabis retailers’ reliance on third-party vendors for essential services opens more doors for cybercriminals to steal information.
The breach follows an August 2024 warning from the U.S. Department of Health and Human Services about Everest ransomware increasingly targeting healthcare-related businesses. Cybersecurity experts say this kind of attack might become more common in the coming years.
