Los Angeles-based cannabis retailer Stiiizy has confirmed a significant data breach following a sophisticated cyberattack that exposed sensitive customer information, including government-issued identification and medical cannabis cards. The breach, which occurred in late 2024, has potentially compromised the personal records of hundreds of thousands of users.
Breach Details and Scope of Exposure
According to a data breach notice filed with the California Attorney General, the incident originated through a third-party point-of-sale processing vendor. Stiiizy reported that an “organized cybercrime group” infiltrated systems between October 10 and November 10, 2024, affecting four of its California retail locations.
The compromised data is extensive. Stiiizy verified that unauthorized parties gained access to:
- Driver’s licenses and passports
- Medical cannabis identification cards
- Full names and residential addresses
- Dates of birth and specific transaction histories
Ransomware Group Targets Cannabis Operator
While Stiiizy has remained reserved regarding the technical specifics of the intrusion, cybersecurity firm Halcyon AI identified the perpetrator as the Everest ransomware gang. In a recent report, Halcyon AI stated that the group successfully exfiltrated the personal information of more than 420,000 customers.
Extortion and Dark Web Leaks
The situation escalated after Stiiizy reportedly refused to meet the attackers’ financial demands. The Everest group subsequently published the stolen database on its dark web leak site, claiming the company ignored their ransom ultimatum. Despite operating 39 stores across the United States, Stiiizy has yet to disclose the exact total of affected individuals beyond the four impacted California storefronts.