MJ Freeway Takes Cyberattack - Forces some retailers to close over weekend

If a single cyberattack can slow or even halt business for this many retailers, that’s huge news. That’s economic devastation.

2 Likes

Wow, that’s not cool. Sounds like someone is DDOSing them, whether that’s a competitor, someone with a beef against cannabis, or just a troll like the Lizard Squad who attacked the Playstation and Xbox networks. They definitely need to invest in some more redundancy and attack mitigation technology for a hosted platform like this one.

2 Likes

Wanted to briefly follow up.

The cyber attack actually affected some businesses I was in the process of interviewing, and they’re still reeling from the after-effects of what happened. This attack had a big effect that was even felt by us!

1 Like

I’ve heard through the grapevine that some people are still playing catchup from the outage, in terms of getting their inventory updated and business back in order. How has the outage impacted you, for those of you who use their service?

1 Like

Another article with a look at the breach and the actions MJ Freeway has taken to shore up security after the breach:

2 Likes

Yikes. This has been a disaster for all, sadly. The loss of goodwill alone can be potentially fatal to a provider that has a serious service/data loss and cannot recover quickly. If you sum up the financial losses for the customers (just lost sales for 3-4 days), plus the financial costs of recovery, rework, etc. you quickly get to tens of millions of dollars.

I discussed my concerns regarding disaster recovery, backup and uptime for the industry in another post here:

Hackers are attacking all eCommerce sites 24x7, and have been for years. The industry needs to be more prepared.

5 Likes

I know there’s a couple folks on here who work in IT who specialize in the cannabis industry, and generally that sort of business continuity falls under their purview. I’m not sure how many dispensaries and grow operations have either dedicated IT staff or a good MSP that helps them out with that level of redundancy. It’s a difficult problem to solve in the small business space no matter what the industry.

2 Likes

No system is ever perfect or invulnerable, but there are ways to make attack or infiltration prohibitively resource-intensive.

Evaluating tech for weaknesses and risk is not an easy task, especially for operators who specialize in cultivating or retailing cannabis rather than building software.

Security is a central part of Meadow’s system, and we are always happy to go through an evaluation of your current system and compare the other options available to you.

We all hope that MJ Freeway is able to recover. They have been in the cannabis software space longer than any of us and helped paved the way for others. Many of our partners experienced difficulties due to the outage, but from what we’ve heard MJ Freeway did everything they could to resolve the problems. Attacks like these and the aftermath can hurt the credibility of cannabis tech. So, chin up, let’s learn from this and keep improving, for the sake of our partners and the patients.

2 Likes

That is very true. The previous company I worked at does security and antivirus: https://www.webroot.com/us/en

Being in that industry I got to see first hand how many breaches are occurring and how costly it can be to vendors who get hit. Now that the cannabis industry is growing it’s not surprising to see some of the premier service providers get targeted by DDOS attacks and ransomware.

The other big issue happening is around Internet-enabled devices. Anything that is connected to the Internet is vulnerable to attack, and Webroot is working on an IoT API to allow vendors of Internet-enabled devices to embed protection in their products: https://www.webroot.com/us/en/business/iot I can see that coming in handy for many of the monitoring devices used in the cannabis industry that allow for remote monitoring over the Internet.

3 Likes

Exactly right. End users/licensee cannot do it. Nor should they have to hire consultants to add “security” and “disaster recovery” to others offerings. As @getmeadow says, it is up to us - the industry software/service providers. to do it.

2 Likes

We’ve taken a different approach with our software that eliminates the vulnerability exploited by the MJ Freeway hack.

We use smart-card technology instead of a web-based login/portal. Each employee (and plant) has an NFC smart-card that grants access to our Traceability system. The cards have to be matched with the specific business, so someone with a card can’t get into any other TraceWeed system.

We wrote up a more detailed blog post, which you can find here. http://www.dauntlessinc.com/blog/2017/1/20/traceweed-putting-data-security-first

If you have any questions, feel free to ask!

ddv

Darin Velin
Dauntless Software Inc.

4 Likes

Hate to to dredge this back up, buuuuuuut:

2 Likes

Wow that is bad. While no customer data was breached and it was just their source code, this does allow hackers to inspect said code to look for vulnerabilities. They definitely need to hire a cybersecurity company to get themselves some help!

1 Like