Cybersecurity was already at the forefront of American culture following reports of Russian interference in the 2016 presidential election. In January, the subject became even more relevant within the cannabis industry as one of the leading point-of-sale providers experienced a major crash — and its clients suffered the brunt of the impact. Part one of this two-part series explores the MJ Freeway shutdown and how businesses can take some simple steps to better protect their servers.
The morning of Jan. 9 dawned like any other for marijuana retail workers in Colorado and around the nation.
But when a manager of one shop near Denver tried to help customers pick out their medical and recreational cannabis like she had since the store opened in 2009, she learned that hackers had taken down the MJ Freeway servers the day before, making it impossible to access the seed-to-sale tracking and point-of-sale systems and preventing her, and others like her at more than 1,000 dispensaries from processing transactions.
“It was chaotic to say the least,” said the manager, who did not want to draw negative attention to her shop and spoke to Marijuana Venture on condition of anonymity.
As customers began arriving to buy products, including medical patients in need of their supplies, the store had to turn them away because it was unable to process their requests.
With no way to sell or track products, the dispensary was forced to make a difficult decision.
“We had to close for the weekend,” said the manager, adding that the company offered vouchers for free future pre-rolls to customers who found themselves locked out due to the computer failure.
Her story was not an unusual one, as budtenders and shop owners from around the country took to social media to announce closures or lengthy delays in the wake of the system’s failure as many stores were forced to use old-school methods of paper and pen to track orders.
According to MJ Freeway, the attack corrupted its main and back-up servers, taking them offline for several days and causing the company to update its system and make amends with clients.
Despite the attack’s impact on cannabis businesses, MJ Freeway officials say no customer data was released during the hack.
“It was corruption of our files — both the files that can run the system and our data files,” said Jeanette Ward, director of data and marketing for MJ Freeway. “We know there was no extraction of data — our data is encrypted — so our customer data was safe. But it was corrupted, and now we’re helping to piece it all back together bit by bit.”
Police are investigating the incident, but as of mid-February, there were no arrests and officials were still trying to determine exactly how the attack occurred. But they do know it wasn’t a standard denial-of-service attack that some hackers use to take a website down, Ward said.
“The attack was sophisticated and thorough,” Ward said. “We had very good security. We had multiple redundant backups in different geographical locations, and we had them with two different companies. But we’ve added even more security now.”
In addition to the business-based software, MJ Freeway also sells a system for states and municipalities called Leaf Data Systems, which last year won the contract for the state of Nevada. The Leaf system, however, was not affected, though according to reports, it was included as part of the initial attack.
Most people wouldn’t think about the cannabis industry being a prime target for hackers, but the threats are very real, said Michael Bowers, a software consultant and cybersecurity expert at CAM Business Solutions.
“There’s a lot of money involved, and you have an outside black market with people who are losing money and want to take down the infrastructure of legal cannabis,” Bowers said. “Then there are competitors who are trying to grab a piece of the market, and they may also have a target on your business. And beyond that, there may be individuals out there who want to take your system down and ransom it, since the industry is so cash heavy.”
In the wake of the crisis, MJ Freeway employees worked around the clock trying to salvage pieces of clients’ data, officials said. The company hired temporary workers to help customers manage their data until the system could be fixed and brought in tax help for clients, because of the time of year that the problem occurred.
MJ Freeway also conducted a security review of its system and moved all hosting solely to Amazon Web Services, which Ward said has a reputation of having the best security features and services available.
“We’ve added all the security features there, and we no longer let one person work alone on the system,” she said. “When somebody is working now, somebody else has to be logged on and watching. We’ve taken all these measures to the Nth degree.”
Bowers agreed that Amazon Web Services has a great virtual environment for companies, but those using it should be aware that those security features aren’t automatic.
“What Amazon doesn’t do is consult for you,” Bowers said. “They provide the service, but it’s up to you to use it.”
Some of the security features of the service add 30% to 40% percent to the overall expense, but considering the cost of potential downtime to a business, they’re often worth it, Bowers said.
“Amazon’s Zerto feature, for instance, allows site replication (a full backup to the cloud),” Bowers said. “You could have a meteor hit the Western hemisphere, and if you have your data duplicated elsewhere like that, you won’t lose anything. But it’s not cheap, which is why most people won’t use it by default. You have to ask yourself what risks you’re willing to take.”
End users like growers or retail stores can also add their own backup servers on site for extra protection, ensuring they’ll have a copy even if their major software providers have issues.
“You can encrypt your own hard drive backup at your facility, and bolt it to the desk to make sure no intruder can get it,” Bowers said.
Bowers also said managing employee access and passwords can be a critical area to which most businesses don’t give much thought.
“Say you have somebody about to be fired, or you have an employee who gets into identity theft,” Bowers said. “One way to protect against that is to make sure employees each have their own login, rather than having everybody use the same account, so you know who did what in the system.”
Wireless passwords are another area to keep a close eye on. Most systems will let businesses make individual wireless accounts for each employee, based on their username and password, which makes it easier to see what each employee is doing.
In addition, guest passwords for clients should be firewalled off from the rest of the system, to prevent any potential access to company data, Bowers said.
“These are all things that can minimize downtime, headaches, loss of resources and can create accountability,” Bowers said. “And most aren’t particularly expensive.”
After speaking to her technical team, Ward said MJ Freeway staff members also had some hard-learned advice for others in the industry.
They suggested three main priorities when selecting a software provider: Make sure host servers are in a facility with a security operations center (SOC) level of protection; make sure the company follows HIPAA standards for personal health information (PHI) data; and make sure the company uses personally identifiable information (PII) compliance standards and best practices.
MJ Freeway also recommended setting employee user permissions only to areas that they need to access for work, keeping a log of employee activity on the system and allowing access to company servers only from authorized devices.
MJ Freeway does all of that now, Ward added.
Despite the disaster, most of MJ Freeway’s clients have so far stayed with the company, she said.
“We haven’t lost a lot of customers,” Ward said. “We have very low churn generally, and our churn for January was actually lower than our regular churn.”
While that may be the case, there’s no doubt the crash could have a major impact on MJ Freeway’s success — and could lead to a rush of new business for dozens of competitors in the traceability space. Not all dispensaries — including the one in Colorado — could wait for MJ Freeway to make repairs. The Colorado dispensary opted to switch to a competing point-of-sale system to avoid downtime.
“We didn’t have the ability to stay closed for a month,” the manager said, adding that after switching traceability providers, the retailer reopened the Tuesday after the attack.
But as of early February, the dispensary was still unable to access member information, sales data and customer tracking from the MJ Freeway system.
MJ Freeway was able to get its system back online by Jan. 16 and is crediting all customers for the month of January, but the company is still working on retrieving the data that was corrupted. Some files may be permanently lost.
“It’s tough on our clients,” Ward acknowledged.
“It doesn’t feel good,” she said. “All we want to do now is make it right for our customers.”
Part two of this series will be published in the April issue of Marijuana Venture, digging deeper into the subjects of traceability providers, hacking and the impact of the MJ Freeway shutdown.[contextly_auto_sidebar]