Hash Gets Hacked

A change in tracking companies has left Washington’s cannabis industry exposed.

By Meagan Angus • February 21, 2018 1:30 am
Tags: ,
Hash Gets Hacked

If you’ve noticed lately that some of your favorite products are missing from your local pot shop, there’s a reason—hackers. Or perhaps more accurately, sketchy digital security. Distributors are having a hard time getting their products delivered to stores due to a series of unfortunate digital-based events.

All cannabis produced and sold in Washington must be tracked throughout the entire process—from “seed to sale”—per state requirements. It must be labeled a certain way, and recorded at each step, and sellers must account for all wholesale and retail exchanges. In 2013, the Washington State Liquor Control Board (LCB), which oversees the state’s cannabis industry, contracted BiotrackTHC to monitor each step. For about $200,000 a year, BiotrackTHC tracked millions of sales and shipments among farmers, processors, retailers, and customers. It also offered a free version of its software to small businesses who couldn’t afford it otherwise.

But last year the LCB decided not to renew BioTrackTHC’s contract, instead bringing in MJ Freeway. According to BioTrackTHC President and CEO Patrick Vo, the LCB now pays MJ Freeway $600,000 per year.

The new company was supposed to take over operations last November. But on Nov. 1, MJ Freeway wasn’t ready, predicting it would take another two to three months before it would be. Washington’s cannabis industry went into “contingency mode.” Businesses suddenly had to find third-party software like Weed TraQR to track sales. Those who couldn’t afford industry software turned to Excel spreadsheets, planning to transfer the data into MJ Freeway’s new software when ready.

That software, Leaf Data Systems, went live on Feb. 1 … and promptly began working erratically or not at all. Many growers and processors faced a multitude of issues: labels missing small details, shipments switching stores, stores not being able to print shipping manifests—or even to enter their products into the system at all.

Vo predicted these troubles in an open letter to Washington State’s cannabis industry last October. MJ Freeway has a less-than-stellar reputation. Between 2016 and 2017, MJ Freeway suffered four security breaches and their source code was stolen and posted publicly by hackers. In one case, more than a year went by before they realized client information had been stolen. During last year’s data handover between BioTrackTHC and MJ Freeway, BioTrackTHC realized its own security was at risk due to back doors at MJ Freeway. However, LCB spokesperson Brian Smith told Vo the issues had been addressed and not to worry.

On Feb. 8, The Seattle Times reported that the reason for the glitches was—wait for it—MJ Freeway’s Leaf Data Systems had been hacked and clients’ information had been stolen. “It was a breach of the system and indications show they downloaded a copy of the traceability database,” Smith told the Times. “No online presence is 100 percent safe.”

Transportation logs, shipping routes, delivery vehicle information, and more was revealed in the stolen data. It’s unknown if the hackers were attempting to steal information,or get into the system to change information for future attempted blackmail.

stashbox@seattleweekly.com

Tags: ,