Those familiar with the industry know that cannabis retailers find themselves in a unique position compared to other product retailers. Cannabis retailers face significant regulatory hurdles to their operation—particularly in connection with payment processing. In addition, the relative youth of the marketplace means that the cannabis marketplace is only just beginning to consolidate into large and small players—placing increased pressure on retailers to make sure that they, their products, and their reputations remain clean and clear, or face backlash at a time when negative market attention could lead to business death.
And, while all retailers increasingly look to third-party vendors to add expertise at a lower cost, the peculiar and occasionally legally grey area of cannabis can sometimes lead to only a small number of vendors willing to take the risks to assist cannabis retailers and the use of a small number of vendors across wide swaths of the industry. Into this environment stepped STIIIZY, one of California's largest cannabis retailers, and their data breach from November of last year. This breach, and its ramifications, should be a cautionary tale for others in this space and a call for more cybersecurity precautions.
In November of 2024, STIIIZY suffered a data breach that exposed the personal information of approximately 380,000 customers. The breach, attributed to the Everest cybercrime group, affected multiple locations and was traced to a compromise within one of the company's point-of-sale processing vendors.
The cannabis industry, despite its rapid expansion, remains particularly vulnerable to cyberattacks due to a combination of regulatory burdens, fragmented financial infrastructure, and limited access to mainstream banking services. One of the major challenges cannabis retailers face is securing financial transactions. Due to federal restrictions in the United States, major credit card networks typically do not process cannabis-related transactions, forcing dispensaries to rely on alternative payment solutions. One popular method has been the use of "cashless ATMs," which disguise cannabis purchases as ATM withdrawals. While this workaround has enabled cannabis businesses to operate within the constraints of the financial system, it has also led to increased scrutiny from regulators and financial institutions.
Read more at Clark Hill
