Ontario Cannabis Store says police investigating ‘criminal’ data breach

Just Released! Get realistic market forecasts, state-by-state insights and benchmarks with the new 2024 MJBiz Factbook member program, now with quarterly updates. Make informed decisions.

Image of downtown Toronto

The government-run Ontario Cannabis Store, the province’s legal wholesaler of adult-use marijuana, said the Ontario Provincial Police (OPP) is investigating what the OCS alleges is the theft of sensitive business data. 

The OCS confirmed the breach in an email to the province’s retailers late Tuesday.

“The data was misappropriated, disclosed, and distributed unlawfully,” according to the email, which was viewed by MJBizDaily.

“As a result, we trust you will refrain from sharing or using this stolen data in any way.”

An OCS spokesperson called the situation “a criminal matter.”

MJBizDaily understands that the leaked data displays the sales of every cannabis store in the province for December 2021, as well as store name, license number, sales days, kilograms sold, kilograms sold per day, total units sold, total inventory at the beginning of the month and sell-through rate, among others.

The breached data also shows whether each store is independently owned, is part of a franchise or whether it falls into another category, such as being part of a national corporation.

The leak does not involve consumer data.

“The OPP is conducting its own review and investigation into the misuse of this data within the cannabis industry,” according to the email to retailers.

In lieu of answering questions from MJBizDaily, the OCS said the incident is not a failure of the organization’s IT systems or security.

“This data was misappropriated,” a spokesperson said via email.

“As this is a criminal matter under investigation by the OPP, we cannot comment further.”

The provincial police did not immediately reply to requests for comment.

According to the OCS’ letter sent to retailers: “This data was not disclosed by the OCS, nor have we provided any permission or consent to distribute or use this data outside of our organization.”

The leaked data is especially sensitive for retailers, many of which are already struggling to stay afloat. They typically do not publicly disclose their sales.

Business sources say the sensitive information could have implications on everything from expansion plans and the possible sale of a store to relationships with licensed producers.

“Anybody who’s seen this now has an unfair competitive advantage, knowing what your neighboring (store) is making,” a store owner who asked to remain anonymous told MJBizDaily.

Are you a social equity cannabis license holder or applicant?

The MJBizCon team is now accepting 2023 Social Equity Scholarship Program applications.

The mission of this program is to provide social equity cannabis license holders or applicants access to the #1 global cannabis industry conference + tradeshow in Las Vegas.

Who can apply?

  • Students currently enrolled in a cannabis-related program at an accredited university or college.
  • Cannabis executives at licensed social equity cultivation, extraction/processing, retail, manufacturing/brand businesses (or awaiting application approval).

Don’t miss out on this potentially life-changing opportunity.

Apply to attend MJBizCon today – The application period will close on July 24!

“If I don’t have that data, and I’m operating blindly as most retailers are, I’m not making business decisions based on information I don’t have. Now that I have this information (the leaked data), you could use that information to help guide where I’ll put another retail store.”

The breach affects high- and low-performing stores in different – but potentially damaging – ways, according to the store owner.

“If you are a high-performing store, you now have a target on your back. It’s also a security issue. Now we’re concerned about robberies,” the store owner said.

“If you are a low-performing store, it’s really embarrassing to have this out there, and there are a lot more underperforming stores than overperforming stores.”

Also at issue, the store owner said, “… is this is a breach of our OCS retailer agreement. If I were to breach my own OCS retailer agreement, I wouldn’t be allowed to sell weed any more.

“What happens when the OCS breaches their own agreement? There’s no recourse here. The victims are retailers who are having their sensitive data revealed.”

This isn’t the first time a government-owned corporation suffered a data breach affecting the regulated cannabis industry.

A security breach at Canada Post in 2018 affected roughly 4,500 legal cannabis customers.

Matt Lamers can be reached at matt.lamers@mjbizdaily.com.