MJ Freeway experiences second security breach in 2017, calls it ‘a theft’

(Note: This story has been updated from an earlier version.)

By John Schroyer

Denver-based MJ Freeway, one of the more prominent software firms in the cannabis sector, has suffered a cybersecurity breach for the second time in six months.

The company said some of its source code information was posted illegally online last week. MJ Freeway officials are calling it “a theft” but said the breach won’t impact customer or patient data.

The breach follows a hacking incident in early January that resulted in a major crash of MJ Freeway’s point-of-sale system, which is used by hundreds of marijuana retailers across the country.

Though MJ Freeway’s source code information was taken down Monday, it remained accessible for about four days on gitlab.com and even sparked a discussion thread on Reddit.

“We do consider this a theft,” said Jeannette Ward, MJ Freeway’s director of data and marketing. “We did report this to the Colorado Bureau of Investigation.”

Source code is basic computer language upon which programs are based. When used by a private company, source code often is proprietary.

Ward said she doesn’t know who posted the company’s information online, but “it was not something we did. We did not post our source code.”

She said the matter is “under investigation still.”

The company contracted a third-party analyst to examine the information that was posted, Ward said, but after a 60-hour audit process, the probe was called off on June 27.

Extended time online

According to Ward, the posted information was an “outdated version of our source code,” so it’s not nearly as much of a cyberthreat as if it were an up-to-date live code.

“It’s not something that will impact our customers’ or patients’ data in any way,” Ward said. “It doesn’t impact our product because it’s outdated source code. So it’s not a big deal.”

Regardless, the incident could represent another security issue for the company after the system hack in January.

“It’s like an aneurysm. You don’t know if it’s going to kill you now or in 30 years. Once that risk is there, you’ve got a threat,” Connor Penhale, the CEO of software consulting firm Compliant Cannabis, said about the possible ramifications of such a breach.

“What’s happened is, someone has exposed all of the possible threats – now and in the future. MJ Freeway’s job just got a lot harder from a security perspective.”

Penhale emphasized, however, that IT solutions are available that can help the company weather the storm.

Surge of success

MJ Freeway has been on an upswing in recent months. The company has landed two government seed-to-sale contracts – in Pennsylvania and Washington state – as well as $3 million in financing to help fund market expansion.

The Washington State Liquor and Cannabis Board has discussed last week’s breach with MJ Freeway executives, according to the board’s communications director, Brian Smith.

“We know that MJ Freeway follows strict industry security standards … We are satisfied with the security measures they have in place,” Smith wrote in an email to Marijuana Business Daily.

The company shouldn’t expect that mindset from all its clients, however.

“What MJ Freeway’s customers need to ask themselves is – based on the track record that MJ Freeway has – do I feel confident that they can handle this one more big thing that they have on their plate?” said Penhale, whose company used to offer a point-of-sale system to the cannabis industry. “It’s a reasonable question to ask.”

Aside from offering software consulting, Penhale’s firm also sells a software platform that hosts online marijuana-related services, such as cultivation sensor data gathering.

Another question is why MJ Freeway’s information remained online for four days, as gitlab.com reported.

Ward said MJ Freeway became aware of the information theft last week but only learned of the gitlab.com post on Sunday.

According to Penhale, the fact the information was online for an extended period instead of being taken down immediately increased the likelihood it was downloaded by someone who may want to try to use it against either MJ Freeway or its clients.

Ward reiterated the information posted online was out of date and therefore is harmless.

Security solutions

Penhale suggested that MJ Freeway should hire an outside cybersecurity expert to audit the company’s business operations in an effort to plug whatever holes may have led to the two breaches.

“When a big company has a problem, they say, ‘Mea culpa, we screwed up, here’s the consultant we’re bringing in to fix things.’ Because that helps,” he said. “They need to hire a kind of Northern Star in the IT industry, someone everyone can point to and say … we can trust what they say.”

Ward said MJ Freeway brought on an independent security consultant after the initial breach in January.

“They’ve been on staff ever since” performing audits and reviews of the company’s cybersecurity, Ward said. “That is an ongoing thing, to make sure our defenses are as good as they could be.”

She blamed a competitor for circulating word among industry observers about the gitlab.com breach and the Reddit thread.

“(The breach) doesn’t pose a threat or risk to our current MJ Freeway software or services. It doesn’t pose a risk or threat to our clients or patient data. And the information this competitor is sending people says the opposite of that. It even goes further than that and claims that this information is now imminently at risk, and that’s absolutely not true,” Ward said. “That, as a business practice, is unethical, and we should not tolerate it in this industry.”

Meanwhile, Ward said MJ Freeway has made significant headway in retrieving customers’ historical data that was lost during the January breach and that everything that’s recoverable has been recovered, roughly 90%.

“We are done recovering data,” she said. “We have communicated to customers, ‘This is what we have.'”

John Schroyer can be reached at johns@mjbizdaily.com