A customer at a Denver marijuana shop pays with cash during a transaction in May 2014. (Brennan Linsley, Associated Press file)

MJ Freeway discloses another cyberattack on the firm, affecting cannabis businesses

MJ Freeway, one of the first companies to create “seed-to-sale” tracking and business software for the legal cannabis industry, has just disclosed it was the target of another cyberattack; one that took place about a year ago.

The Denver-based company, which also provides tracking software for a number of state regulatory systems in addition to approximately 1,000 cannabis retailers across the U.S., also has been dealing with a string of hacks, system outages and other disruptions over the past several months.

According to a statement to its clients, published Tuesday on the firm’s website, MJ Freeway determined that “certain client information” had been stolen on or around Nov. 19, 2016, affecting businesses in multiple states. The data included customers’ date-of-birth and contact information, but no Social Security identification or credit or debit card numbers, according to the company.

The firm said it immediately launched an investigation and has been working with “third-party forensic investigators.”

This is at least the second time MJ Freeway has been the victim of a cyberhack. In January, the company reported an outage of its inventory system and an inability to process transactions, due to an attack on both its main and backup databases.

“Customer trust and safety are our first priority and since the January event we have worked with the Colorado Bureau of Investigation and our independent security firm to recover client data, strengthen our systems, and identify the criminals behind the attack,” Jeannette Ward, MJ Freeway’s vice president of global marketing and communications, said in an email statement to The Cannabist.

In terms of the November 2016 incident, Ward said the company is “pleased to have recovered this file and intend to use it to restore a subset of client data previously believed lost. We stand ready to assist our customers and answer their questions about this development in our investigation.”

A spokesperson for the Colorado Bureau of Investigation (CBI), meanwhile, told The Cannabist that while “the victim in this case has indicated the CBI is reviewing this case, the Bureau does not provide comment on active investigations, or even confirm our agents are investigating.”

Attorney Mark Mermelstein, who is counsel for MJ Freeway and a specialist in cybersecurity legal issues, told The Cannabist the hacks appear to be a “sophisticated sequence of malicious attacks directed against the company.”

In many corporate cyberattacks, he said, the attacker will corrupt the target’s files and then demand money for the return of the un-corrupted original.

But in the case of MJ Freeway, he noted, “there never was an extortion demand. And so you have to ask the question: Why would someone want to take a copy of our data, and then destroy our copy of the data, and then upload data that’s now a year old? One could imagine a scenario where a competitor or someone with interest in destroying our business reputation was doing this.”

Mermelstein said he believes what’s happening with MJ Freeway could be a new kind of cyber incident. Rather than stealing data or trade secrets, he said, there might be a rival business or interested party working to destroy another company’s data in order to gain a competitive advantage.

“If that’s what’s happening, that really is a new front in the cybersecurity wars,” he said. “We really haven’t seen competitors weaponize cyberhacking in a significant way.”