Ontario Cannabis Store data breach raises credibility, security concerns

Image depicting computer software

The credibility of the government-run Ontario Cannabis Store is at stake after sensitive industry data was misappropriated and leaked, according to experts.

The Ontario Provincial Police (OPP) confirmed it opened an investigation earlier this month into what the OCS alleges is the theft of the business data.

The data includes individual cannabis retailers’ sales, their inventory levels and other sensitive information such as store license number and the amount of kilograms and packaged units sold for at least the months of December 2021 and January 2022.

As the only legal wholesaler of cannabis in Ontario – Canada’s biggest legal cannabis market by sales – industry sources said it’s imperative the government-run body be seen as credible in the eyes of its clients, the more than 1,500 cannabis stores that can buy their products only from the OCS.

David Hyde, CEO of security consultancy Hyde Advisory & Investments in Toronto, said the wholesaler needs to address the issue head-on and identify what led to the breach.

“To maintain their reputation and credibility, I’d think the OCS wants to identify and address any root cause issues of this firstly and then send out other communications to appropriate parties, stores included, to reassure them that those have been addressed,” Hyde told MJBizDaily.

Other business sources expressed concern the data could be used to exploit vulnerable store owners whose businesses aren’t performing well – for example, they could be vulnerable to predatory takeover bids.

They also wonder if the OCS could benefit from a permanent CEO after years of filling the position on an interim basis.

Responding to queries from MJBizDaily, OCS Senior Director of Communications Daffyd Roderick said immediate steps were taken to address the situation once the organization became aware of the data breach.

“We restricted access to our internal data reports, commenced a comprehensive investigation to identify the source of this problem and notified the Ontario Provincial Police,” he said.

“The OPP is conducting its own review and investigation into the misuse of this data within the cannabis industry.”

Who has the data?

The Canadian Federation of Independent Business (CFIB) is among those concerned the stolen data could be used for exploitative business practices.

“With all the stories about the (cannabis retail) market probably going to consolidate, there’s a bit of oversaturation, you’ve got to wonder exactly who has the information,” said Ryan Mallough, the CFIB’s senior director of provincial affairs for Ontario.

“Are there bully offers out there? If you’ve got that (leaked data) and you’re looking to consolidate stores in an area, you know who to pick on, who to flex and go at.”

Mallough also expressed concern over other possible fallout.

Are you a social equity cannabis license holder or applicant?

The MJBizCon team is now accepting 2023 Social Equity Scholarship Program applications.

The mission of this program is to provide social equity cannabis license holders or applicants access to the #1 global cannabis industry conference + tradeshow in Las Vegas.

Who can apply?

  • Students currently enrolled in a cannabis-related program at an accredited university or college.
  • Cannabis executives at licensed social equity cultivation, extraction/processing, retail, manufacturing/brand businesses (or awaiting application approval).

Don’t miss out on this potentially life-changing opportunity.

Apply to attend MJBizCon today – The application period will close on July 24!

“I heard from one business owner who was now wondering if they’re doing really well, will someone use that data and open a store across the street?” he said.

“Another asked, ‘Does my competitor two blocks away have that information, and how are they using it? Maybe not against me but still to their advantage?’”

Mallough said the general feeling among store owners he spoke with was “shock, frustration, a little bit of exasperation, like a ‘What did you expect from the OCS kind of thing.’ Yet another frustration point.”

Leadership issues?

Shane Morris, founder of Ottawa-based Morris and Associates Consulting, said the OCS plays a pivotal role as the Ontario cannabis retail industry’s only wholesaler.

“It’s the only cannabis bridge in the industry (in terms of wholesale in Ontario), and if that bridge goes down, then it damages the value chain very quickly and very substantially.”

“I think it’s a function of a young organization, they’re handling billions of dollars, (and) it clearly has leadership issues. They’re on their sixth CEO – they have a lot of learning to do,” he said.

Last March, David Lobo became the OCS’ sixth president in three years – but only on an interim basis.

Lobo, who hasn’t done any media interviews, was the organization’s third straight temporary chief executive since September 2019.

The OCS said it initiated a search for a new CEO “in early 2022.”

“Once the successful candidate is selected, OCS will issue an official announcement,” the OCS’ Roderick said.

“There is definitely a credibility issue, because you’ve got a lot of people’s livelihoods in the value chain that rely on this organization (Ontario Cannabis Store), whether it’s licensed producers or retailers,” Morris said.

“Fundamentally, I think the OCS has a problem with handling confidential business information.”

The leak of information raises concerns about the OCS’ data governance model, said Ann Cavoukian, Ontario’s former privacy commissioner and the current executive director of the Global Privacy and Security by Design Centre, which advises businesses on privacy protections.

Cavoukian said the government-run corporation “reneged in terms of their requirements to protect the data – the data need to be strongly secured, and that’s their obligation.”

“I would urge them to add security and get security into the design of their operations, so that the data can be secured and protected.”

A late 2021 report from the Office of the Auditor General of Ontario found that the OCS lacked “a data-governance component, including identification of what data the enterprise has, where that data resides, how that data is used and what compliance obligations apply.”

In response, the OCS said it was working on a data strategy that would “include appropriate safeguarding and retention standards for third-party data.”

‘Needs to be reassurance’

One independent Ontario cannabis retailer told MJBizDaily the data breach represented “an egregious breach of trust” between the wholesaler and the retailers that depend on it.

To regain that trust, experts in business security suggest the OCS needs to get to the bottom of what actually happened and come clean with the hundreds of stores that rely on its services.

“At the end of the day, this is something that needs to be answered to,” said Hyde, the security consultant.

“There needs to be reassurance that whatever it was that led to this has been addressed and identified. Right now, we know what it’s not – an IT security breach.”

The OCS has said the data was stolen and not the result of a hack.

Hyde said the security industry leans on a standard called “the principle of least privilege.”

It means only those who absolutely must have access credentials to certain security or data should be allowed to have them, and the credentials need to be very tightly monitored.

“That’s to make sure that if you have the keys to the crown jewels, so to speak, those passwords are changed every couple of months, there’s oversight,” Hyde said.

“The likelihood is that this is more of a procedural failure, or an access-privilege type of issue that befell the OCS, rather than it being a weak security system that was overtaken by hackers.”

Matt Lamers can be reached at matt.lamers@mjbizdaily.com.

Solomon Israel can be reached at solomon.israel@mjbizdaily.com.