Popular Los Angeles-based cannabis brand Stiiizy has admitted that hackers accessed a range of sensitive customer data during a cyberattack in November, including government-issued documents and medical marijuana cards.
In a data breach notification filed this week with the California Attorney General's Office, Stiizy said it was informed by its POS processing vendor that an “organized cybercriminal group” had compromised the data of some of its retail stores. Ta.
In a letter sent to affected customers, Stiizy acknowledged that hackers obtained processed customer data from an anonymous vendor between October 10, 2024 and November 10, 2024.
Stiizy said the stolen information included information on customers' driver's licenses, passports and medical marijuana cards. The hackers also accessed customers' names, addresses, dates of birth, transaction data, and other unspecified personal information.
Stiiizy, which operates 39 stores across the United States, has not yet disclosed how many customers were affected, but said the incident affected four retail stores in California. Stiiizy did not respond to TechCrunch's questions.
Stiiizy did not confirm or explain the nature of the incident, but Texas-based cybersecurity startup Halcyon AI said in a blog post in November that the cannabis business was the target of a ransomware attack.
Halcyon said the Everest ransomware group claimed credit for the cyberattack and announced that the group stole personal information, including identification documents, of more than 420,000 Stiizyy customers.
In a post on its dark web leak site seen by TechCrunch, Everest claims that Stiizyy released data stolen from the company after “ignoring” its ransom demands.