A security researcher discovered this week that the personal information of more than 11,000 medical marijuana dispensary applicants in Nevada could be accessed online, a revelation that caused the state to shut down its online MMJ portal.

Advertisement

ZDNet first reported Wednesday that a bug in the state’s medical cannabis website allowed anyone with the right web address to access an applicant’s full name, home address, Social Security number, citizenship and physical details.

The news site said Justin Shafer, a security researcher, discovered the problem. It’s not clear if other people accessed the data.

On Wednesday evening, the Nevada Division of Public Behavioral Health acknowledged the issue, saying it is investigating a possible cyberattack on its database.

“The entire portal has been taken down,” Cody Phinney, an official with the public health division, said in a release. “To prevent further breaches, the division’s IT staff are working with state IT staff, investigating the breach.”

Nevada legalized medical marijuana back in 2000 but didn’t set up a regulated industry until 2015. It’s not evident how far back the data leak goes.