The cannabis industry was recently met with news of a significant data breach involving STIIZY, one of the most well-known cannabis brands. This incident exposed sensitive customer data, raising concerns about incumbent cybersecurity practices within the industry. The breach serves as a stark reminder of the importance of robust cybersecurity measures for cannabis businesses.
As the cannabis sector continues to expand, its reliance on digital systems and sensitive data makes it an increasingly attractive target for cybercriminals. High-value transactions, customer information, and compliance complexities create a perfect storm for potential breaches. The STIIZY incident highlights the critical need for industry players to adopt stronger cybersecurity strategies and proactive measures to safeguard their operations and customer trust.
In this article, we’ll break down what happened, explore lessons learned, and offer actionable steps to protect your business from similar threats.
Cure8: Your Trusted Cannabis IT Experts
At Cure8, we specialize in managed IT services tailored to the unique needs of the cannabis industry. With years of experience managing IT systems for hundreds of cannabis facilities across North America — from dispensaries to cultivation sites and distribution centers — we have the expertise to protect businesses from cybersecurity threats. Whether it’s securing sensitive customer data, ensuring compliance with state and federal regulations, or optimizing IT systems for performance, Cure8 is here to help you every step of the way.
What Actually Happened in the STIIZY Data Breach?
In January 2025, STIIZY, a major cannabis brand, disclosed a data breach involving one of their third-party vendors. The breach occurred between October 10 and November 10, 2024, and impacted customer data at four locations: Union Square, Mission, Alameda, and Authentic 209 in Modesto. Compromised information included government-issued identification details, medical cannabis card data, transaction histories, and personal details such as names, addresses, and dates of birth.
The breach was linked to a vendor providing point-of-sale processing services. An organized cybercrime group, likely the Everest Ransomware Group – as reported by Texas-based cybersecurity startup Halcyon AI – exploited vulnerabilities in the vendor’s systems, leading to unauthorized access to sensitive customer data. STIIZY acted promptly upon discovering the incident, launching an investigation, improving security measures, and offering affected customers free credit monitoring and fraud assistance services.
This incident underscores the growing threat landscape in the cannabis sector. As an industry dealing with high-value transactions, sensitive customer data, and complex regulatory requirements, cannabis businesses are increasingly attractive targets for cybercriminals.
Key Takeaways from the STIIZY Breach
1. Third-Party Risks Are Real and Significant
The STIIZY breach was a stark reminder that third-party vendors can introduce vulnerabilities into your business. While these partners often provide essential services, they can also become the weakest link in your security chain. To mitigate these risks:
- Thoroughly vet vendors: Ensure that your partners have robust cybersecurity measures in place and adhere to industry best practices.
- Implement contractual safeguards: Include provisions in vendor contracts that require regular security audits and breach notifications.
- Limit access: Only grant vendors the minimum necessary access to your systems and data.
2. Strengthen Access Controls
Access control is a fundamental aspect of cybersecurity. In the STIIZY case, better access management might have minimized the breach’s impact. Here’s how you can strengthen your access controls:
- Enforce user authentication: Use multi-factor authentication (MFA) and single sign-on (SSO) to secure access to sensitive systems.
- Regularly review user accounts: Audit user permissions to ensure employees only have access to the systems and data they need for their roles.
- Establish clear onboarding/offboarding processes: Promptly disable accounts for departing employees and ensure new hires are granted appropriate access levels.
3. Reevaluate Data Storage Policies
A critical question every cannabis business must ask is: Are we storing more data than we need? Collecting and storing excessive customer information increases your risk profile. Here’s how to approach data management:
- Minimize data collection: Only collect data that is absolutely necessary for your operations.
- Comply with legal requirements: Ensure your data storage practices align with state and federal laws, including regulations specific to the cannabis industry.
- Implement encryption: Encrypt sensitive customer data both in transit and at rest to protect it from unauthorized access.
4. Verify Vendor Security Policies
Given the central role third-party vendors play in cannabis operations, it’s essential to regularly evaluate their security measures. Consider these steps:
- Request compliance certifications: Look for SOC 2, ISO 27001, or similar certifications that demonstrate a commitment to security.
- Review their incident response plans: Ensure your vendors have clear protocols for detecting and responding to breaches.
- Monitor their performance: Conduct periodic reviews of vendor security practices and update agreements as needed.
5. Prioritize Cybersecurity Holistically
Cybersecurity is not just about protecting your digital systems; it’s about safeguarding your entire operation. Take a comprehensive approach:
- Conduct regular cybersecurity reviews: Assess your IT systems, physical security measures, and employee training programs.
- Integrate physical and digital security: Ensure your physical security measures — such as cameras and access controls — complement your IT security efforts.
- Stay vigilant: Monitor your systems 24/7 for signs of unauthorized access or suspicious activity.
How Cure8 Can Help
At Cure8, we offer a range of services designed to help cannabis businesses strengthen their cybersecurity framework:
Cybersecurity Audits
Our comprehensive audits evaluate every aspect of your business’s security, including:
- System vulnerabilities
- Software access controls
- User management policies
- Data storage practices
- Physical security measures
We’ll provide a detailed report with actionable recommendations to address your specific risks.
Managed IT Services
Our managed IT services ensure your business stays secure and operational 24/7. Key features include:
- Continuous security monitoring
- Proactive incident response
- Regular system updates and patches
- Expert support to handle any IT challenges
Final Thoughts
The STIIZY data breach is a wake-up call for the entire cannabis industry. As the sector continues to grow, so do the risks posed by cyber threats. Businesses must take proactive steps to protect their systems, data, and customers.
Don’t wait for a breach to take action. Partner with Cure8 to safeguard your business and build a resilient IT infrastructure. Contact us today to learn more about our services and how we can help you stay ahead of evolving threats.