- ‘Subtle Asian Dating’ is the un-Tinder we all need right now 2 Years Ago
- Man delighted to find 30-year-old computer still works Sunday 5:32 PM
- Report: Google used shell companies to build data centers, obtain tax breaks Sunday 3:38 PM
- Grammy winner Kacey Musgraves spoiled ‘RuPaul’s Drag Race All Stars 4’ Sunday 2:24 PM
- Conservatives feel vindicated by new developments in Jussie Smollett case (updated) Sunday 12:19 PM
- Don Cheadle made important fashion choices on ‘SNL’ Sunday 9:47 AM
- Why the Twitter left loves to dunk on Max Boot Sunday 6:30 AM
- How to watch ‘Last Week Tonight with John Oliver’ online for free Sunday 6:30 AM
- How to stream Francis Ngannou vs. Cain Velasquez for free Sunday 6:00 AM
- How to stream the 2019 Daytona 500 for free Sunday 5:50 AM
- 7-year-old YouTuber to get his own show on Nickelodeon Saturday 5:30 PM
- ‘Hipster’ jobs are trending, and Indeed says the market is booming Saturday 3:33 PM
- Trump meme removed after copyright complaint Saturday 2:15 PM
- Facebook pushes back against moderators complaining about ‘Big Brother’ environment Saturday 12:46 PM
- Twitter hid post from an account linked to Iran’s Supreme Leader Saturday 10:17 AM
Medical marijuana portal exposes thousands of Social Security numbers
The data was available with a simple Google search.
Nevada’s medical marijuana application system has exposed the personal information of thousands of dispensary applicants, the Daily Dot has learned.
A vulnerability in Nevada’s Medical Marijuana Program portal makes available on the open internet the full, unredacted PDFs of over 11,700 dispensary applications, which include names, phone numbers, home addresses, dates of birth, driver’s license numbers, and complete Social Security numbers.
The unsecured database, discovered by medical-industry security researcher Justin Schafer, remained exposed a week after the Nevada Division of Public and Behavioral Health (DPBH), which operates the portal, brought the system back online after a security “problem” forced the agency to take it down Dec. 8.
The portal was taken offline following media reports about the exposed applications.
The DPHB was “given the go ahead” to bring the Medical Marijuana Program portal back online on Dec. 15, Joe Pollock, deputy administrator of the DPHB, told the Las Vegas Review-Journal on Dec. 21. Pollock said the agency did “not have any evidence at this time that indicates the data in the Portal has been compromised.”
Shafer says he discovered the data-revealing PDFs after a simple Google search. The Daily Dot was able to recreate the search, which displayed one applicant’s Social Security number on the Google Search page.
The PDF’s URL exposed by the Google search allows anyone to access thousands of other completed applications because of the way the PDFs are indexed. The Daily Dot is not publishing the URL out of caution for the applicants affected by the vulnerability.
NORML estimates that Nevada has some 20,773 registered medical marijuana patients.
The Daily Dot left voicemails with a number of people exposed by the leaky database to alert them to the vulnerability and confirm they applied to work in medical marijuana dispensaries. One of the applicants, who asked not to be named, confirmed that he registered with the Nevada Medical Marijuana Program and confirmed the personal information included on an application viewed by the Daily Dot.
In a statement, Nevada DPBH said it was investigating a “cyberattack” on its system and reassured Nevada residents that, at this time, all “private patient information is considered to be secure.”
“The entire portal has been taken down,” Cody Phinney, DPBH administrator, said in a statement. “To prevent further breaches, the Division’s IT staff are working with state IT staff, investigating the breach. We appreciate everyone’s patience during this difficult time. As more information is known, the public will be notified.”
DPBH said it has contacted a number of credit-reporting services to alert them that a number of dispensary applicants’ personal information was exposed. DPBH has also contacted law enforcement agencies “for further investigation.”
Update 11am CT, Dec. 28: The Medical Marijana Program system hosting the exposed PDFs is currently inaccessible.
Update 11:45am CT, Dec. 28: A spokesperson for Nevada’s state government tells ZDNet that they have taken the system offline and plan to notify affected applicants within days.
Update 6:45pm CT, Dec. 28: Added comment from DPBH.
Correction: The applications exposed by the vulnerability are of people who registered to work in medical marijuana dispensaries. We regret the error.
Andrew Couts is the former editor of Layer 8, a section dedicated to the intersection of the Internet and the state—and the gaps in between. Prior to the Daily Dot, Couts served as features editor and features writer for Digital Trends, associate editor of TheWeek.com, and associate editor at Maxim magazine. When he’s not working, Couts can be found hiking with his German shepherds or blasting around on motorcycles.