Washington state cannabis regulators now say a “security incident” enabled unauthorized access to the state’s cannabis-tracking system. According to the Washington State Liquor and Cannabis Board, the exploit allowed an intruder to download a copy of the state’s traceability database, which follows state-legal cannabis from seed to sale.
“A computer vulnerability was exploited on Saturday, allowing unauthorized access to the traceability system,” WSLCB Deputy Director Peter Antolin wrote in a letter to state-licensed cannabis businesses on Thursday. “There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users. We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”
Regulators say the issue was corrected on Monday, Feb. 5, although some industry members reported interruptions even after the apparent fix. “We recognize there are other known issues within the system,” Antolin wrote Thursday. “There are workarounds for most. They will be fixed in subsequent releases.”
— Ben Adlin (@badlin) February 8, 2018
The disruptions come on the heels of the state’s switch to new traceability software, Leaf Data, which is developed by MJ Freeway.
WSLCB’s Antolin assured licensees that “the information captured by the intruder does not contain personally identifiable information,” such as names or Social Security numbers, and that most data were already public. “With the exception of the manifest data, all the information obtained via the intrusion is publicly available,” he wrote.
Manifest data includes detailed information on where cannabis products in the legal market are, where they came from, and where they’re going. While that information may not be personally identifiable, reporter Tobias Coughlin-Bogue tells Leafly that unauthorized access could still put industry members at risk. “A breach in manifest data basically means hackers had access to info on where all the state’s pot was going,” he said. In the wrong hands, he explained, that information could conceivably be used to intercept shipments or even rob drivers carrying cash and thousands of dollars worth of cannabis products.
Route information in manifests filed between Feb. 1 and Feb. 4 was accessed during the incident, as well as descriptions of transporter vehicles, including VIN, license plate number, and vehicle type. “Please review your transport plans and take any appropriate steps you feel necessary for your business,” Antolin advised.
The WSLCB is set to host a live webinar on Friday at 10 a.m. to discuss the incident further. Registration is available online.
Meanwhile, the agency says it and MJ Freeway “continue to implement several strategies to prevent future vulnerabilities.” But because the investigation into Saturday’s breach is ongoing, however, “details on security are not publicly available.”
According to the WSLCB letter, MJ Freeway first became aware of transfer abnormalities on Saturday and went on to notify authorities in the following days:
The company immediately began a review and identified it as a potential security incident on Monday. MJ Freeway immediately notified the WSLCB. The WSLCB then contacted the Washington State Office of CyberSecurity, (OCS), which examined the data taken to determine if it contained personally identifiable information
An MJ Freeway representative did not immediately respond to phone and email messages left Thursday evening.
“The bottom line is that this incident is unfortunate,” Antolin wrote. “There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system. Know, however, that we will continue to take necessary steps to protect all traceability information. This includes an ongoing review of the information we require in traceability and the implementing the best practices in security.”