The unsecured database even contained scans of users' photo IDs.
A team of data privacy researchers discovered a major breach in a platform used by multiple marijuana dispensaries in the United States to manage sales.
According to the researchers' report, the breach allowed them to access information about more than 30,000 buyers, including scans of government-issued photo IDs and details about the amount and types of cannabis products customers purchased.
Open and Shut
On Wednesday, VPN review website vpnMentor published a blog post detailing its discovery of the data breach.
The site's researchers reportedly found an unsecured storage database owned by THSuite, a company that makes point-of-sale software for cannabis dispensaries, on December 24, 2019. They contacted THSuite about the database on December 26, and by January 14, 2020, the breach was closed.
According to vpnMentor's report, the database contained 85,000 files, including personally identifiable information about more than 30,000 dispensary customers and employees.
In spot checks of the data, the researchers found links to three U.S. marijuana dispensaries — two of which strictly sell medical marijuana — though it wrote in the blog post that the breach affected many more.
"This raises serious privacy concerns," vpnMentor wrote. "Medical patients have a legal right to keep their medical information private."
READ MORE: Data Breach Exposes Personal Details of Over 30,000 U.S. Cannabis Users [Newsweek]
More on marijuana: Newly Discovered Weed Compound Is 30 Times More Potent Than THC