Hackers Breach Cannabis Brand Stiiizy, Stole Sensitive Customer Data

Data Breach Confirmed by Stiiizy

Popular Los Angeles-based cannabis brand Stiiizy has confirmed that hackers accessed sensitive customer data, including government-issued documents and medical cannabis cards, during a cyberattack that occurred in November.

Details of the Breach

In a data breach notice submitted to California's attorney general this week, Stiiizy revealed that it was alerted by its point-of-sale processing vendor regarding a "organized cybercrime group" that had compromised customer data from some of its retail locations.

In correspondence with affected customers, Stiiizy stated that hackers obtained customer data processed by the unnamed vendor between October 10 and November 10, 2024. The breached data includes customer driver’s licenses, passports, medical cannabis cards, names, addresses, birth dates, transaction details, and other unspecified personal information.

Scope of the Data Breach

Operating 39 stores across the United States, Stiiizy has not disclosed the total number of affected customers, but specified that the breach impacted four of its retail locations in California. Stiiizy has not responded to questions for comment.

Potential Ransomware Attack

While Stiiizy has not provided details regarding the nature of the incident, Texas-based cybersecurity startup Halcyon AI reported in a November blog post that the cannabis operator was targeted by a ransomware attack.

Involvement of Everest Ransomware Group

The Everest ransomware group has claimed responsibility for the cyberattack, according to Halcyon, stating that the gang stole personal data, including identification documents, from over 420,000 Stiiizy customers.

Everest has also reportedly posted the stolen data on its dark web leak site after Stiiizy allegedly "ignored" its ransom demands.