Stiiizy, a well-known Los Angeles-based cannabis brand, has confirmed that hackers accessed sensitive customer data, including government-issued documents and medical cannabis cards, during a November cyberattack. The company filed a data breach notice with California's attorney general, revealing that an "organized cybercrime group" had compromised customer data from some of its retail locations.

According to the notice, Stiiizy was notified by its point-of-sale processing vendor that the hackers had accessed customer data processed between October 10 and November 10, 2024. The stolen information includes customer names, addresses, dates of birth, transaction data, and other unspecified personal information, as well as sensitive documents such as driver's licenses, passports, and medical cannabis cards.

Stiiizy operates 39 stores across the United States, but the incident affected only four of its retail locations in California. The company has not yet disclosed how many customers were affected by the breach. Despite requests for comment, Stiiizy did not respond to TechCrunch's inquiries.

While Stiiizy has not confirmed or described the nature of the incident, a November blog post by Texas-based cybersecurity startup Halcyon AI suggests that the cannabis operator was the target of a ransomware attack. The Everest ransomware group claimed credit for the cyberattack, according to Halcyon, which reported that the gang had stolen the personal information, including identification documents, of more than 420,000 Stiiizy customers.

In a post on its dark web leak site, which TechCrunch has seen, Everest claims to have published the data stolen from Stiiizy after the company "ignored" its ransom demands. This development raises concerns about the potential misuse of the stolen data, including identity theft and fraud.

The incident highlights the vulnerability of businesses in the cannabis industry to cyber threats. As the industry continues to grow, it is essential for companies like Stiiizy to prioritize customer data security and implement robust measures to prevent such breaches in the future.

The Stiiizy data breach serves as a reminder for customers to remain vigilant and monitor their personal information for any signs of suspicious activity. It also underscores the need for greater transparency and accountability in the event of a data breach, ensuring that affected individuals are promptly notified and provided with adequate support.

As the investigation into the Stiiizy data breach continues, it remains to be seen what measures the company will take to prevent similar incidents in the future and to mitigate the damage caused by this breach. One thing is certain, however: the incident serves as a wake-up call for the cannabis industry to take data security seriously and prioritize the protection of customer information.