Under Siege:
Cannabis Cybersecurity in the Age of Schedule III

The Wake-Up Call That Wasn't Enough

On January 10, 2025, Stiiizy — one of California's largest cannabis brands — confirmed a devastating data breach perpetrated by the Everest ransomware gang. The stolen records included government IDs, passport numbers, photographs, medical cannabis card details, and complete purchase histories. The breach exposed a uniquely damaging data profile: combining financial, identity, and health information for customers purchasing a federally controlled substance.

The 2025 Threat Landscape: What Actually Happened

While the Stiiizy breach dominated headlines, it wasn't an isolated event. Roughly 60% of cannabis businesses report experiencing a cyberattack each year — with 2025 seeing a shift in attack strategy from pure data theft toward operational disruption.

Schedule III Changes the Risk Calculus

As cannabis moves toward federal Schedule III status, cybersecurity failures will no longer be purely a state-level compliance problem. Federal regulatory oversight — including DEA, FTC, and potentially HHS depending on how the medical model evolves — will bring federal enforcement teeth to data protection requirements.

• Medical data protections intensify — As cannabis moves toward a federal medical model, patient data may attract HIPAA-adjacent protections, significantly raising breach liability.
• Anti-money laundering (AML) documentation requirements will increase under Schedule III, requiring more robust data governance and records management.
• Beneficial ownership transparency requirements will tighten, expanding the scope of sensitive business data that must be protected.

The Threat Attack Surface: What Hackers Are Targeting

Cannabis cybersecurity attack vectors by prevalence, 2025. Sources: IT4Weed, CannaSecure, MJBizDaily

The Vendor Risk Problem

One of the most dangerous misconceptions in cannabis cybersecurity is that securing internal systems is sufficient. In multiple major 2025 incidents, the breach didn't start inside the cannabis company at all — it started with a marketing vendor, analytics platform, loyalty program, or outsourced POS processor.

• The Stiiizy breach originated at a third-party POS processing vendor — Stiiizy's own internal systems may have been secure, but the vendor's weren't.
• Loyalty and CRM platforms hold detailed customer purchase histories that are highly sensitive in a cannabis context — vendor contracts must include strong data protection provisions.
• M&A due diligence must include cybersecurity audits — acquiring a cannabis operator means potentially inheriting threat actors already embedded in their IT infrastructure.

The Operator Action Plan for 2026

• Conduct a data inventory: Know exactly what data you collect, where it's stored, who has access, and how long it's retained. Most operators cannot answer all four questions.
• Implement vendor risk assessments: Require all third-party vendors (POS, loyalty, marketing, delivery) to document their cybersecurity posture before onboarding.
• Train staff on phishing recognition: Phishing remains the #1 attack entry point. Monthly training — not annual — is the new standard.
• Acquire cyber liability insurance: The average breach costs $4.6 million. A $5,000 annual security investment is 0.1% of that exposure. Insurance must be paired with documented compliance efforts.
• Build and test an incident response plan: Know who to call, what systems to isolate, and how to notify customers and regulators — before an attack, not during one.
• Secure all databases: The Ohio Marijuana Card incident involved a 323-gigabyte database sitting open on the public internet with no password, no encryption, and no firewall. Basic hygiene remains alarmingly absent.