MJ Freeway experiences second security breach in 2017, calls it ‘a theft’

(Note: This story has been updated from an earlier version.)

By John Schroyer

Denver-based MJ Freeway, one of the more prominent software firms in the cannabis sector, has suffered a cybersecurity breach for the second time in six months.

The company said some of its source code information was posted illegally online last week. MJ Freeway officials are calling it “a theft” but said the breach won’t impact customer or patient data.

The breach follows a hacking incident in early January that resulted in a major crash of MJ Freeway’s point-of-sale system, which is used by hundreds of marijuana retailers across the country.

Though MJ Freeway’s source code information was taken down Monday, it remained accessible for about four days on gitlab.com and even sparked a discussion thread on Reddit.

“We do consider this a theft,” said Jeannette Ward, MJ Freeway’s director of data and marketing. “We did report this to the Colorado Bureau of Investigation.”

Source code is basic computer language upon which programs are based. When used by a private company, source code often is proprietary.

Ward said she doesn’t know who posted the company’s information online, but “it was not something we did. We did not post our source code.”

She said the matter is “under investigation still.”

The company contracted a third-party analyst to examine the information that was posted, Ward said, but after a 60-hour audit process, the probe was called off on June 27.

Extended time online

According to Ward, the posted information was an “outdated version of our source code,” so it’s not nearly as much of a cyberthreat as if it were an up-to-date live code.

“It’s not something that will impact our customers’ or patients’ data in any way,” Ward said. “It doesn’t impact our product because it’s outdated source code. So it’s not a big deal.”

Regardless, the incident could represent another security issue for the company after the system hack in January.

“It’s like an aneurysm. You don’t know if it’s going to kill you now or in 30 years. Once that risk is there, you’ve got a threat,” Connor Penhale, the CEO of software consulting firm Compliant Cannabis, said about the possible ramifications of such a breach.

“What’s happened is, someone has exposed all of the possible threats – now and in the future. MJ Freeway’s job just got a lot harder from a security perspective.”

Penhale emphasized, however, that IT solutions are available that can help the company weather the storm.

Surge of success

MJ Freeway has been on an upswing in recent months. The company has landed two government seed-to-sale contracts – in Pennsylvania and Washington state – as well as $3 million in financing to help fund market expansion.

The Washington State Liquor and Cannabis Board has discussed last week’s breach with MJ Freeway executives, according to the board’s communications director, Brian Smith.

“We know that MJ Freeway follows strict industry security standards … We are satisfied with the security measures they have in place,” Smith wrote in an email to Marijuana Business Daily.

The company shouldn’t expect that mindset from all its clients, however.

“What MJ Freeway’s customers need to ask themselves is – based on the track record that MJ Freeway has – do I feel confident that they can handle this one more big thing that they have on their plate?” said Penhale, whose company used to offer a point-of-sale system to the cannabis industry. “It’s a reasonable question to ask.”

Aside from offering software consulting, Penhale’s firm also sells a software platform that hosts online marijuana-related services, such as cultivation sensor data gathering.

Another question is why MJ Freeway’s information remained online for four days, as gitlab.com reported.

Ward said MJ Freeway became aware of the information theft last week but only learned of the gitlab.com post on Sunday.

According to Penhale, the fact the information was online for an extended period instead of being taken down immediately increased the likelihood it was downloaded by someone who may want to try to use it against either MJ Freeway or its clients.

Ward reiterated the information posted online was out of date and therefore is harmless.

Security solutions

Penhale suggested that MJ Freeway should hire an outside cybersecurity expert to audit the company’s business operations in an effort to plug whatever holes may have led to the two breaches.

“When a big company has a problem, they say, ‘Mea culpa, we screwed up, here’s the consultant we’re bringing in to fix things.’ Because that helps,” he said. “They need to hire a kind of Northern Star in the IT industry, someone everyone can point to and say … we can trust what they say.”

Ward said MJ Freeway brought on an independent security consultant after the initial breach in January.

“They’ve been on staff ever since” performing audits and reviews of the company’s cybersecurity, Ward said. “That is an ongoing thing, to make sure our defenses are as good as they could be.”

She blamed a competitor for circulating word among industry observers about the gitlab.com breach and the Reddit thread.

“(The breach) doesn’t pose a threat or risk to our current MJ Freeway software or services. It doesn’t pose a risk or threat to our clients or patient data. And the information this competitor is sending people says the opposite of that. It even goes further than that and claims that this information is now imminently at risk, and that’s absolutely not true,” Ward said. “That, as a business practice, is unethical, and we should not tolerate it in this industry.”

Meanwhile, Ward said MJ Freeway has made significant headway in retrieving customers’ historical data that was lost during the January breach and that everything that’s recoverable has been recovered, roughly 90%.

“We are done recovering data,” she said. “We have communicated to customers, ‘This is what we have.'”

John Schroyer can be reached at [email protected]

10 comments on “MJ Freeway experiences second security breach in 2017, calls it ‘a theft’
  1. Barry2thewind on

    What the industry should NOT tolerate is the fact that MJ Freeway knew for FOUR DAYS and made the conscious decision to not immediately notify all of its customers about this issue. WE HAVE A RIGHT TO KNOW THESE THINGS! This is by very definition harmful negligence. “It’s NOT A BIG DEAL”?!?!? Are you kidding me? They may have version one 1.5 of our systems, but don’t fret we’re now running version 1.6. I get it, the fact that it’s slightly less of a deal if it’s not up to date, but that’s like saying…. “Don’t worry about stepping on those land mines, our factories are now making the new XJ2 models.” YOU are one of the oldest marijuana software companies out there, act like it. Own up to an internal mistake if you want our respect. We deserve that much.

    Reply
  2. Clif Croan on

    Don’t they have drivers license information and other personal ID material ? How many times will MJ Freeway drop the ball before the dispensaries protect the consumers ? At this point the dispensaries need to make some tough decisions – like protecting the patient data !

    Reply
  3. Andrew J. Collier on

    I’d guess there will be very little follow up communication about these and prior data and security issues. This industry in general starts off fixing the messes pretty strong, then sort of just trails off…I suppose that could be the media too. You never hear anything else about it, unless you really do the research. But I guess that’s true a lot of times in our evolving short term oriented culture.

    I’ve dealt with state financial and cannabis regulations/regulators in CA and CO. I can’t even imagine what type of power hungry people are running things in these new MJ states like MA, MD, NY, MN, HI, etc. They pick and win losers better than the market and are giving out the contracts and licenses. That instills confidence in some people apparently. Black markets will just be bigger and blacker than before.

    Reply
  4. Brent on

    I don’t trust them, this is the same company that told us all their backups were corrupted by the earlier data breech. How do you not have offsite and/or offline backups?

    Reply
    • H. Ackerman on

      Kudos, finally someone from a security stand point steps in and speaks some truth. We learned about off-site backups in a different disaster region the first week of info-sec. 😉

      Reply
  5. David Harkness on

    This breach was nothing like stepping on a land mine. It’s akin to a restaurant having the recipe for its famous apple pie posted online. It doesn’t spoil any apple pies you ate there before, not does it stop them from baking more themselves.

    Good security does not rely on secret details in the source code. It needs good password and key management practices, logging, intrusion detection, etc. Most likely the code was published by a current or future employee or a breach of their SCM account. Neither of these endangers client or patient data by itself.

    Should they have notified all customers immediately? Maybe, but there’s no action for customers to take. Should a dispensary notify all of their customers if someone broke in and stole some products? Probably not.

    To be clear, this incident is very different from the previous data access breech. It doesn’t look good for them, but I agree that this should pose little problems for clients other than trust.

    Reply
    • M on

      Apple pie and software are not the same. A better analogy is a car manufacturer getting the designs for their cars stolen.. does that include the designs of all the door locks? Probably.. and if so that gives criminals a great head start on breaking in. If it’s an older version of the design, has the door lock been redesigned thoroughly enough that the stolen designs don’t matter? Well that’s what MJ Freeway wants you to believe but as usual they’re selling more spin than real transparency.

      Reply
  6. Morgan Glenn on

    This is becoming a pain in the ass. Hard to get these guys to return calls. We still don’t have our historical data from the first breach and can’t use the engine still for reports today. We need that data for legal reasons, Dept Of Treasury paperwork and security analysis of sales. Get it together. Everyone deserves a full refund at this point.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *