Aurora Cannabis breach exposes personal data of former, current workers

Don’t miss our MJBiz LinkedIn Live covering “Women Leaders in Cannabis: Shattering the Grass Ceiling” on Wednesday, March 27, at 2 p.m. ET. Visit LinkedIn to register!


A data breach at Aurora Cannabis has exposed the personal information of an unknown number of the Canadian company’s current and former employees, Marijuana Business Daily has learned.

An email sent to a victim of the data breach cites a Dec. 25 “cybersecurity incident during which unauthorized parties accessed data in (Microsoft cloud software) SharePoint and OneDrive.” The email was shared with MJBizDaily.

The victim, a former Aurora employee who was laid off in February 2020 alongside hundreds of others, wasn’t notified of the breach until late in the evening of Dec. 31.

The source said that working for Alberta-based Aurora was “an experience that I think a lot of people want to forget.”

“And then getting a reminder on the last day of 2020, just hours to go before 2020 ended, was just a bit of a kick to the face,” he said.

The former employee said he spoke with three current Aurora workers and five other former staffers whose information was exposed.

He said each person reported different data compromised in the breach, including credit card information, government identification, home addresses and banking details.

Aurora spokeswoman Michelle Lefler confirmed that the company “was subject to a cybersecurity incident” on Christmas that affected both current and former employees, although she did not confirm what kinds of personal information were exposed.

“The company immediately took steps to mitigate the incident, is actively consulting with security experts and cooperating with authorities,” Lefler wrote in a statement.

“Aurora’s patient systems were not compromised, and the company’s network of operations is unaffected.”

Lefler said she was unable to provide the specific number of Aurora employees whose data was exposed.

“I can confirm we are following all security protocols, are working with privacy councils and law enforcement and have communicated directly with any impacted current or former employee,” she wrote.

She did not respond to an MJBizDaily inquiry regarding whether the breach affected Aurora workers outside Canada and did not specify which authorities Aurora notified about the breach.

Aurora trades as ACB on the Toronto Stock Exchange and the New York Stock Exchange.

Solomon Israel can be reached at solomon.israel@mjbizdaily.com