Platform for cannabis workers exposes data of millions online

Not cool, man.

A data leak at Würk, a cannabis workforce HR platform, exposed the personal data of over 2.5 million users before it was discovered on December 21 by researcher Bob Diachenko.

Diachenko, who co-founded and runs Security Discovery, a company that trawls the web for insecure databases, told IT Brew that the breach was due to a MongoDB misconfiguration that left the firm’s data open to the public. That’s nothing new in the realm of cybersecurity, he added.

“There were always a bunch of those publicly exposed, misconfigured, and accessible by simple tools,” Diachenko said. “So there is no need to use any sophisticated techniques in order to access the data; it was just there. That's the scariest part.”

Danger, danger. A Cybernews report on the leak found that the “the exposed data included records with cannabis dispensaries’ employee payrolls, addresses, dates of birth, and employment details” as well as encrypted Social Security numbers.

“With the current level of technologies, I don’t think it would be a problem to decrypt them,” Diachenko said.

According to Diachenko, the leak was “fixed silently with no feedback, no reply” two or three days after he disclosed it to the company. IT Brew’s attempts to reach Würk for comment were unsuccessful.

Industry specific. The cannabis industry is encountering growing pains that any successful sector of the economy would expect thanks to the added complication of its nebulous legal status. In January, members of the National Cannabis Industry Association’s Risk Management and Insurance Committee (RMIC) wrote that people in the cannabis business need to manage the elevated threat.

Cannabis business owners should ensure they take precautions while managing their cyber defenses, the committee members wrote. Cyber insurance is a good idea, but due to US law, options are limited. That means it’s important to “hire a dedicated team that is focused on securing your digital estate,” Green Thumb Industries Director of Information Security Chris Clai told the RMIC.

Ultimately the threats to the cannabis business are not so different from the broad cybersecurity trends, Diachenko told IT Brew, and require the same kind of commonsense solutions. Cannabis industry professionals need “to follow cyber hygiene, at least at the basic level,” he said, and dodge avoidable vulnerabilities like those that led to the Würk data leak.

“It's a good old-fashioned misconfiguration, which has always been as a result of a human mistake,” Diachenko said. “And it’s just another wake up call for anyone using databases and overlooking all the access controls and firewall configurations—not following the simple cyber hygiene rules in order to keep these data and all their customers secure.”