Retailers have long been favorite targets of cybercriminals, and today’s burgeoning cannabis retail industry is not immune. In fact, for several reasons, cannabis dispensaries are ripe for crippling cyberattacks.
Across the retail landscape, cybercriminals are looking for the same payday in their assaults: sensitive and valuable data such as credit card information, personally identifiable information (PII) and even trade secrets and/or intellectual property. Cannabis retailers are particularly attractive targets not only for the coveted customer data they hold; cybercriminals are always on the lookout for businesses operating in a young and rapidly growing industry, like the cannabis sector, where many retailers have not incorporated mature cyber security practices into their business processes.
For a cannabis retailer, the financial losses associated with a data breach, especially for a smaller operation, can be devastating. A study conducted by IBM and the Ponemon Institute in July 2018 determined the global average cost of a data breach to exceed $3 million. This figure factored in costs for remediation, notification and credit monitoring, which are mandatory components of data breach response in most states. According to the U.S. National Cyber Security Alliance, 60% of small businesses that have suffered a data breach have gone out of business within six months.
A public perception of weak cyber security can also severely shake consumer confidence and negatively affect a company’s future sales and growth. A February 2019 survey of Americans found that after a retailer’s data breach, a significant number of people across all age ranges are not likely to shop again at that store: 40% of Gen X (ages 40-54) are least likely, followed by 26% of millennials (ages 23-38) and 34% of baby boomers. Customers may understandably be extremely reluctant to provide their personal information when purchasing marijuana from a retail dispensary whose network was previously compromised due to an immature cyber security strategy.
Current Cybercrimes Targeting the Cannabis Industry
The vast majority of cyber compromises today result from attacks targeting “the people at the keyboards,” i.e., employees, contractors and third parties with access to a company’s network. Employees of cannabis retailers are prime targets for cyberattacks aimed at stealing or compromising their credentials. Once criminals are in, they conduct reconnaissance and identify databases which contain sensitive information that can be monetized through a variety of fraudulent activities or simply sold to other criminals operating on dark web forums.
While the theft of sensitive data is a security concern for any retailer, cannabis businesses face a compounded threat due to the commodity they sell. This threat increases for medicinal marijuana dispensaries, which maintain protected health information (PHI), as those types of records are much more valuable on dark web forums than common PII due to the additional information they contain. Although medicinal marijuana dispensaries are not covered entities under the Health Insurance Portability and Accountability Act (HIPAA), which would restrict how they are able to utilize patient data, they must still comply with strict state privacy laws. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all personal data, health or otherwise. Provinces and territories have the right to create their own rules and regulations as long as they are “substantially similar” to PIPEDA.
Cannabis industry employees need to be cognizant and on alert for attacks being deployed every day through emails with malicious software embedded in hyperlinks or attachments. Today’s phishing emails are very convincing and often the product of a previous compromise of a co-worker, customer, vendor, business partner or just someone the recipient trusts. These emails no longer notify recipients that they’ve inherited millions of dollars from a Nigerian prince. Instead, modern hackers leverage publicly available information to conduct research on businesses and their employees, then send extremely credible emails to employees. Believing the emails were sent from a trusted source, unsuspecting victims end up clicking on links or opening attachments that download malware such as ransomware, banking trojans, keystroke loggers, point of sale (POS) malware, etc.
In recent months, numerous retailers have had their networks compromised after receiving an email purchase request contained in a Word document. Unsuspecting employees who try to access the information in the Word document are immediately advised to upload the latest version of the software and download macros to view the document. Once downloaded, the purported macros execute embedded malware that enables hackers to move laterally throughout the victim network, searching for sensitive data.
All businesses are susceptible to this kind of cyberattack, but companies just starting out with a relatively new workforce, which characterizes many marijuana retailers today, face a higher risk.
Ransomware continues to be a favorite of cyberattackers. Ransomware attacks are more sophisticated than the cyber “smash and grabs” that I witnessed during my days as a Special Agent with the FBI. Those attacks targeted small companies and individuals and sought to encrypt data (files and photos) on personal devices. Victims were forced to pay $300-$500 in Bitcoin or other cryptocurrency to obtain a decryption key and regain access to their files.
Ransomware has evolved to the point where it is usually delivered after cybercriminals have already infected corporate networks with a trojan such as Emotet, Trickbot, Bokbot, Dridex, Qakbot, etc. After these trojans are embedded in a corporate network and cybercriminals learn how the network is configured, they then deploy a variant of ransomware simultaneously across the network, effectively shutting down the business. These trojans are usually delivered by an end-user clicking on a link or opening a malicious attachment in an email. I cannot overemphasize how education and vigilance regarding email practices is crucial for preventing ransomware attacks.
While the above-referenced cybercrimes are commonly used to target retailers, cannabis dispensaries are especially vulnerable because they deal in a commodity whose use remains contentious despite marijuana’s legalization in the states where it is sold. Cyber extortionists are constantly trying to get access to sensitive data that they can use to threaten victims with exposure if a demand (usually paid in cryptocurrency) is not met.
Cybercriminals that gain access to a marijuana dispensary’s client database could attempt to extort high-profile customers, like politicians, business executives, professional athletes, entertainers, clergy, etc., who may not want the public to know that they are using marijuana, even if it is legal. This unexpected negative exposure could potentially threaten clients’ livelihoods. Cannabis retailers must consider the additional privacy customers expect when they provide their personal data to a dispensary to conduct a transaction.
Another concern for marijuana retailers is their higher-than-average potential to become targeted by nation-state actors. Over the years, nation-state actors have aimed at everything from government databases and cleared defense contractors to insurance and healthcare companies. Nation-state actors conduct their attacks for intelligence-gathering purposes. Whether the goal is to steal intellectual property from a cleared defense contractor or to gather information on government employees for potential recruitment activities, these large data breaches result in a treasure trove of information for the intelligence services of U.S. adversaries. The marijuana industry’s controversial commodity places it at higher risk for intelligence-gathering and potential co-opting/recruitment activities.
- Video Surveillance and the Internet of Things
All states that have legalized marijuana sales require retailers to incorporate video surveillance in their facilities as a mandatory security feature. The retention period to maintain this video data ranges from 90 days to one year, depending upon the state. Having your image recorded and stored while you shop for marijuana raises major privacy issues, but the cyber security risks for potential extortion raises the stakes for cannabis retailers.
Many retailers now use video surveillance equipment that is accessible through the internet. While these Internet of Things (IoT) devices offer the convenience and flexibility of remote access and monitoring, the security risks associated with these devices are often overlooked. For example, many of these devices are accessed using default passwords, i.e., the password provided by the manufacturer. These passwords are often universal, easy to guess or even posted on the manufacturer’s website to help users set up a device. Other risks arise from the habit of people using the same password to access multiple databases/platforms or from accessing the device from an unsecure or compromised network.
Cannabis retailers should consider these vulnerabilities when connecting devices to their network. If security measures such as VPN, multi-factor authentication, segmentation and the policy of least privilege are not implemented to limit access to the video (including storage and transfers to backups), then cannabis retailers should understand they are at greater risk for this data to be compromised and monetized by cybercriminals.
There are additional IoT risks for cannabis retailers that grow and cultivate plants. Many grow operations utilize automated, internet-accessible watering, temperature and humidity control systems and lighting programs. The same IoT vulnerabilities that accompany video surveillance exist with these systems. For example, if a competitor were able to access these environmental systems through weak cyber security measures, they could overwater, create cold temperatures or turn off lights that could effectively cause a crop failure.
- Cash-Based and Nontraditional Financial Transactions
As most U.S. banks are federally regulated institutions, the Federal Deposit Insurance Act prohibits them from conducting transactions related to federally prohibited activities. While marijuana has been legalized in Canada and in most U.S. states, it is still classified as an illegal Schedule I drug under the U.S. federal Controlled Substances Act. Until it is recognized as a legal commodity under federal law, credit cards or debit cards linked to a credit account cannot be used as acceptable forms of payment at marijuana dispensaries. Banks are unwilling to risk violating federal anti-money laundering laws by financing cannabis businesses or supporting these financial transactions for their customers. This presents obvious physical threats to cannabis businesses that are consequently predominantly cash-only transaction facilities.
To mitigate the risk of harm to employees and customers from potential thieves, cannabis retailers are exploring alternatives to pure cash transactions. Several purchasing options have become available through online payment systems such as payment cards connected to specific cannabis mobile apps, private banks (not federally regulated), marijuana-specific POS systems and cryptocurrencies. While these options may reduce the physical threats created by having exorbitant amounts of cash at retail premises, the risk of theft by cyber tactics must be considered. The storage of customers’ sensitive data through online transactions or in-store electronic transactions puts additional responsibilities on retailers to protect that data and process it safely.
This is especially true for businesses that grant access to their network to third-party vendors when processing transactions. Cannabis dispensaries should implement measures to encrypt their customers’ data and segment their processing systems from their network wherever possible. If a cannabis dispensary is going to accept cryptocurrency payments, it should secure its cryptocurrency wallet against cyber theft through basic security strategies such as encrypting private keys and utilizing an external (hard token) cryptocurrency wallet.
- Digital Marketing Vulnerabilities
While the cannabis industry has its own unique regulations, dispensaries are similar to other retailers in that they need to provide good customer service while continuing to generate future revenue. Like many retailers, dispensaries rely on marketing techniques to develop and grow their customer base. Knowing a client’s preferences and anticipating their shopping and spending habits can significantly factor into good marketing strategies. Many cannabis dispensaries aim to anticipate how much and how often a customer will purchase their product and also how to provide current and future clients with information regarding new products or special offerings. To successfully employ these types of marketing techniques, cannabis dispensaries need to acquire and maintain personal information that includes names, addresses, telephone numbers and email addresses.
Legislation in all “cannabis legal” states requires customers to provide a government-issued identification to prove they are of the legal minimum age to purchase marijuana. To facilitate this process for returning customers, many dispensaries maintain customers’ proof of age in their databases. Although various U.S. laws restrict how long dispensaries can maintain and utilize this type of sensitive data and PIPEDA strongly suggests appropriate retention periods, the mere fact that it does exist on a database for any given time presents a risk of exposure to attack by cybercriminals.