Hacker breaks into state’s Cannabis tracking systems and steals route information

The state’s new pot-tracking system was hacked some time Feb. 3, and an “intruder” stole route information associated with four days of marijuana deliveries, as well as other information.

“It was a breach of the system and indications show they downloaded a copy of the traceability database,” said Brian Smith, a spokesman for the Liquor and Cannabis Board (LCB). “It did something in the system — I’m not at liberty to talk about — that affected the transfer and manifest data — that was, in part, responsible for the issues this week.”

The state on Feb. 1 transitioned to a new marijuana-traceability system, Leaf Data Systems, which has been dogged by problems since its launch. The technology issues have kept marijuana growers and sellers scrambling to keep their businesses running. Some have worried about keeping marijuana on increasingly sparse store shelves.

Problems associated with the hack were discovered Feb. 4 by MJ Freeway, the company providing the data service and pot-tracking software. On Feb. 5, the company identified the problem as a “possible security incident” and notified the LCB, according to a message that went out to all marijuana licensees Thursday. At that point, the LCB contacted the Washington State Office of CyberSecurity, which is investigating the hack. Smith said marijuana businesses were not notified of the attack until Thursday because of that agency’s protocol.

 

The security flaw was resolved on Feb. 5, Smith said. The state agency plans to continue using MJ Freeway as a vendor.

“No online presence is 100-percent safe,” he said. “There are steps that MJ Freeway has taken to ensure that it’s secure and meets modern standards. We’re sticking with MJ Freeway.”

In addition to transportation manifests, delivery-vehicle information like type, license-plate number and VIN number were also taken. That information is available through public-record requests, Smith said.

MJ Freeway has had products hacked several times before, and source code for some of its software was posted online last year, according to Marijuana Business Daily, an industry publication.

Pot proprietors Thursday questioned the LCB’s selection of MJ Freeway, considering its previous breaches.

“It’s been a pretty well-known fear: MJ Freeway was not Fort Knox. Boy, was everybody right straight out of the gate,” said Steve Lee, who owns two marijuana businesses and is a Kennewick city councilman.

Marijuana-traceability systems were designed, in part, to help regulators satisfy Obama-era federal guidelines about marijuana diversion. If pot could be tracked, the theory went, then federal officials would have more assurances it wasn’t crossing state lines or going into the black market.

Lee said the hack has eroded the traceability system’s integrity, and will have him sleeping less easy about federal involvement in the state’s legal marijuana market.

“It’s a catastrophic failure at the state level, and it leaves us all worrying about our futures,” he said.

What the hacker(s) were after is not immediately clear, but pot proprietors worried that data could be manipulated.

“If somebody can get in and read the data, they can also write (code) to it. They can disrupt the entire industry. That opens up corporate blackmail,” said Logan Bowers, co-owner of Seattle pot shop Hashtag. Bowers worked in software for about 20 years before opening his store.

Even with the hack issue resolved, pot proprietors said the industry is not running at full speed because of myriad other tech issues during the state’s transition to Leaf Data Systems. Bowers said his store was only able to get three of six scheduled shipments Thursday, and most of the vendors he buys from are not able to deliver marijuana yet.

Jeremy Moberg, a marijuana grower in Okanogan County, said the state should return to the contingency system it had been using for several months during a gap in service from traceability vendors. The state was supposed to transition to a new data system last November, but that was delayed after the company initially selected for contract negotiation by the LCB withdrew from consideration.

  • Is this a coincidence? let us knowe in the comment below.