Cannabis Compliance ,

Hackers show no mercy—even for pot dispensaries

By Michelle Drolet
27 Feb 2017

Anatomy of a national point-of-sale breach and takedown of 1,000-plus marijuana dispensaries

 

Back when Apple was the plucky young upstart that dared to be different, the Mac was the machine for creative types and there was a perception that it wasn’t a target for hackers because of its cultural cool factor.

You would expect the same rules to apply to the legalized marijuana market, but a major hack attack on a pot dispensary last month set that notion up in smoke.

MJ Freeway, providers of popular medical marijuana tracking software, suffered a point-of-sale system hack that left over 1,000 marijuana dispensaries unable to track their sales and inventories. Because of the state regulations regarding the sale of marijuana, some dispensaries were forced to close early or shut their doors completely. The disruption lasted weeks and caused patients to suffer long delays with obtaining access to their medicine.

Closer inspection reveals this was a well-coordinated cyber attack that was intended to take the system down.

Picking targets

Probably the real reason Macs weren’t targeted so much in the past was a combination of low user numbers and Apple’s smart approach to security. Nowadays the firm’s devices are so popular with a wealthy customer base that they’re increasingly becoming a target.

The cannabis industry has also been soaring in the last few years, and so perhaps it should come as no surprise that it has become a target, too.

This recent attack on MJ Freeway was aimed at corrupting files and data, rather than stealing them. The company insists no client data was stolen. In a Q&A with mg retailer, a spokesperson claims all medical cannabis patient and business data was encrypted and that there’s no evidence it was compromised. The intention apparently was to disrupt the system, but the motive is unclear.

How did the attack work?

The attack simultaneously targeted the live, production and backup servers at MJ Freeway. Despite having redundancies built in with multiple backups on multiple servers with a variety of companies in different locations, the attackers were able to hit everything in a short period of time.

This is partly because the company was unaware it was being attacked for the first few hours. Once the problem was discovered, MJ Freeway began restoring service for clients within 24 hours.

It’s vital to have a data recovery plan, but this attack also highlights the importance of having strong real-time security to uncover breaches so that you can take action before it’s too late. Once cyber attackers gain access to your system, it’s relatively easy for them to dig deeper and spread laterally.

Prospects for recovery

Customers that maintained a separate data backup have been able to get up and running again with minimal disruption, but others have lost records permanently. The traceability system, which tracks the chain of custody for complete transparency from “seed-to-sale” was corrupted, and it seems much of the data may be unrecoverable.

This is obviously a disaster for MJ Freeway. Despite working hard to restore service, some customers have already jumped ship, which is the inevitable consequence of any security incident like this.

The costs of data recovery and improving security, along with compensation and reputational damage, could be high. The true cost of a data breach only becomes clear over time.

Lessons to be learned

Many small and mid-sized businesses nowadays rely on cloud-based services like this from third-party providers. By 2020, 78 percent of small businesses will be fully adapted to the cloud, according to Intuit. There’s a big lesson to be learned here: Always maintain your own regular backups.

All the MJ Freeway customers that had an uncorrupted backup that they maintained themselves were able to restore service quickly. It was also easier for them to switch providers with minimal disruption to their clients. That said, whether the client had their own data backups had no bearing on how quickly they had access to an operational MJ Freeway site.

Any business that’s going to put its trust and data in the hands of a third party really must research that company thoroughly.

MJ Freeway has migrated its clients’ sites to a more secure environment, but the real question is: Why did it take an attack like this for them to improve their security? Whatever the cost of this breach ends up being for MJ Freeway, you can be sure it would have been a lot cheaper to implement proper security in the first place.

But that’s always easier said than done.

 

This article was originally posted on NetworkWorld >