STIIIZY, a cannabis company, stated in a recent advisory that a data breach that it suffered earlier this week has allowed threat actors to infiltrate its point-of-sale (POS) vendor and steal user information.
Reports revealed that the alleged stolen data includes essential information, such as government IDs and purchase details.
STIIIZY is a California-based cannabis firm well-known for its pod-based vaporisers and a wide range of cannabis products, including flowers, edibles, THC concentrates, and extracts.
STIIIZY claimed that it became aware of the breach through its POS provider.
The data breach warning STIIIZY issued last week stated that it first identified the incident in November last year after its POS provider reported it.
According to investigations, the threat actors stole sensitive client information, such as driver’s license numbers, passport numbers, pictures, and transaction histories.
The confirmed data that was compromised during the breach included names, addresses, dates of birth, age, driver’s license numbers, passport numbers, photographs, signatures on government ID cards, medicinal cannabis cards, transaction histories, and other personal information.
These compromised details may vary for each impacted individual.
STIIIZY claims that its investigation suggests that the incident only affected customers who made purchases at four of its stores: two from San Fransisco, one from Alameda, and one from Modesto, all from California.
The company also assured the public that it has established extra security measures to secure consumer data and will provide free credit monitoring to individuals affected.
Because of the sensitive nature of the stolen data, impacted users should be more mindful of their credit history for fake accounts started in their name. Furthermore, they should be vigilant with unsolicited communications since they will be targeted by phishing attempts, as emails are among the compromised information.
While STIIIZY has not provided any information about the vendor or how the data was acquired, a ransomware group called Everest claimed responsibility back in November. The group alleges that it infiltrated the company and stole the personal information and IDs of more than 400,000 customers.