Skip to main content
Managed ITCybersecurityPrivate CloudTechnology BundleAboutBreach ReportsCompliance GuideFAQContact
Breach Analysis

The STIIIZY Breach: What Every
Dispensary Owner Needs to Know

Published January 2025 · 8 min read

Between October 10 and November 10, 2024, the Everest ransomware group compromised a third-party point-of-sale vendor used by STIIIZY, one of California's largest cannabis retail brands. The attackers had access for 31 days before detection, during which they exfiltrated customer names, addresses, dates of birth, driver's license numbers, passport numbers, photographs, government ID signatures, medical cannabis cards, and complete transaction histories from four dispensary locations.

Timeline

Oct 10, 2024Attackers gain access to STIIIZY's POSi vendor systems
Nov 10, 2024Data exfiltration window closes (31 days of access)
Nov 20, 2024STIIIZY notified by POS vendor of the compromise
Late Nov 2024Everest ransomware group claims the attack, lists 422,075 customer records
Jan 7, 2025STIIIZY publishes data breach notification; 380,000 individuals formally notified

What was exposed

The stolen data included everything a dispensary collects during customer check-in: full names, home addresses, dates of birth, driver's license numbers and photographs, passport numbers, the signatures on government IDs, medical cannabis card information, and complete purchase histories. This is everything an identity thief needs — and it came specifically from customers who purchased a federally illegal substance, adding an additional layer of risk for the affected individuals.

The real vulnerability: vendor supply chain

STIIIZY's own network may not have been directly breached. The attack targeted accounts within their POS processing vendor's infrastructure — likely a SaaS account takeover rather than a direct system exploit. This is a critical lesson: your security is only as strong as your weakest vendor. If your POS provider, seed-to-sale tracking vendor, or payment processor is compromised, your customer data is exposed regardless of how well your own systems are locked down.

How to protect your dispensary

Vendor security assessments

Require SOC 2 Type II certification or equivalent from every vendor that touches customer data. Review their incident response procedures and breach notification timelines before signing contracts.

MFAi everywhere

Enforce multi-factor authentication on every SaaS account, POS admin portal, and cloud platform. The STIIIZY breach likely involved compromised credentials — MFA would have stopped or significantly slowed the attack.

Data minimization

Only collect and retain the customer data your state requires. If you don't need passport numbers, don't scan them. Less data stored means less data stolen.

Breach response plan

Have a tested incident response plan before you need one. Know your state's notification requirements, have legal counsel identified, and know exactly who you're calling at 2 AM.

This article is for informational purposes only and does not constitute legal or cybersecurity advice. Consult qualified professionals for guidance specific to your operation.

Don't wait for your breach notification.

Book a free cybersecurity assessment. We'll evaluate your vendor risk, access controls, and incident response readiness — before the Everest group or their successors come knocking.

Book Free Assessment →