MJ Freeway reports that its third-party forensic investigation indicates no data was stolen during a “criminal, malicious hack.”
On January 7, a malicious intrusion into MJ Freeway’s digital information platform brought down the company’s seed-to-sale system, throwing hundreds of clients offline. Nevada’s traceability system was among the organizations affected. In an interview conducted yesterday, Jeanette Ward, the company’s director of data and marketing, shared as much information as she could about the hack and the third-party forensic investigation conducted by The Crypsis Group, which she said has arrived at some absolute conclusions. She also commented on efforts the company is taking to reinforce its system while addressing the needs and concerns of current and potential users of its software.
Mg: Let’s start at the beginning with exactly what brought MJ Freeway down.
Jeanette Ward: Late on January 7, MJ Freeway was the victim of a malicious, criminal cyber-attack. We have a statement [see below] from our lawyer, a veteran attorney who works with the likes of VISA on cyber-attacks, saying that based on all the information we have at hand we were absolutely the victim of a criminal, malicious attack. I say this only because there are rumors flying around that this was not a hack and not an attack, and it absolutely was.
On January 8, our clients began to experience the effects of this. The MJ Freeway system went offline for all our clients, who also had no access to the MJ Freeway site. The hack was aimed at corrupting files and data and it was unprecedented in terms of its sophistication, and it impacted both our live or production servers, as well as our backup servers. We have multiple backup servers and multiple redundancy, and we have them in multiple locations and with multiple companies. The attack hit all of them.
[Attorney’s statement: “Immediately following the January 7 disruption of MJ Freeway’s IT systems, the company engaged The Crypsis Group to conduct a comprehensive forensic investigation of the event and assist in the recovery of all client data. It is clear to me that MJ Freeway is the victim of a sophisticated, criminal cyber-attack. We have referred this matter to law enforcement, and MJ Freeway has implemented additional security protocols to protect its infrastructure from further attack.” —Mark Mermelstein, attorney with Orrick, Herrington & Sutcliffe and global co-chair of MJ Freeway’s cyber security and data privacy team.]
Were these attacks conducted simultaneously?
They hit all of [their targets] within a very short period.
Including the Nevada State system?
That is correct. It included Leaf Data Systems, which is our government tracking product that the state of Nevada is using. I want to draw a line between this attack and the State of Nevada, which had an attack a couple of months ago. At this time, we have no connection between those attacks, but it did impact our systems and products that the government is using for tracking.
So, no official Nevada state databases were compromised in this attack—just yours providing services for the state?
Correct.
Considering the scale and breadth of the hack, were you aware of the breach as soon as it occurred, or even as it was occurring?
No. We were not immediately aware the second the breach occurred. However, we became aware within a matter of hours and began to mobilize resources and communicate with clients. It’s common that companies, even large ones, will find out about breaches after the fact, but because of the file selection and because everyone’s system was down, we knew about it really quickly.
How long were they in there to be able to do so much damage? Surely they left copious clues behind.
We do know what the time frames are, and do have evidence that helps us begin to put together the steps of how it was done and who did it. But we are not releasing any of that information, because we have released this to law enforcement.
Federal law enforcement?
If we were not a cannabis company, federal law enforcement would handle this cybercrime, but we are not referring this to the FBI. One, we’re not sure how interested they would be, but also out of respect for our clients, who would not be too keen to hear this case has been referred to the FBI and they are potentially digging through this information.
There is a Colorado Bureau of Investigation that deals with cyber crimes, and we have referred the matter to them instead of going to the feds.
How many dispensaries use your software?
That’s a little hard to nail down. We have over 500 clients, but each client can have one, two, or five locations. So, it depends on whether we’re talking about dispensaries, locations, and licenses, or our entire customer base, which includes consulting customers. So it gets hard to pin that number down.
How many dispensaries are you recovering data for?
There are over 500 that we are recovering data for.
Will you be able to recover all missing or corrupted data?
There was corruption damage sustained. Because we do have multiple, redundant backups, there is recoverable data. Think of it like a puzzle. Each backup was a complete picture, and the corruption affected different pieces of that puzzle, so we have got to manually pull out uncorrupted files from each backup to make a total picture. The corruption is not uniform, so it will differ for each client how much data we can recover for them. Not every client will get 100 percent of their data back. I would love to promise that they will, it would make people happier, but it is highly unlikely.
What type of data are we talking about?
It will be sales, inventory, and customer data. It will also be cultivation data: plant height, strains, and yields. Clients use this for running the most critical parts of their business.
Are HIPPA law violations a part of this scenario as well?
One thing I have left unsaid is that we had encryption, and what has been confirmed by a third-party IT security firm that’s doing a forensic analysis of the hack is that during the attack, no data was extracted. We can see what the hackers did, and we could see if they did any commands to extract data, and that did not happen during the hack.
By extracted, do you mean taken, stolen, copied, taken somewhere else?
Yes. That was not done, and our data is encrypted. First the data would need to be extracted. One of our tech people explained to me that it’s like a safe in a house. First you have to get the safe out, and then it’s going to take you forever to try to unlock the safe and take the data. In this hack, the forensic evidence shows that during this attack, that did not happen.
So, while you can’t guarantee all data will be returned, you can guarantee patients and dispensary customers none of their personal data was stolen?
That’s right. It’s very important to our clients and their customers, and we want to put them at ease about that.
Were inventory control services also impacted by the hack?
Historical data regarding inventory may be lost. We don’t know what we’re going to recover for each client, but loss is certainly a possibility. Now, what clients did during the interim, what they did while they waited to get back online and then when they got back online, they took a physical count of their existing inventory and they’re entering that into MJ Freeway. The catch-up work is entering that data back in and then starting back up from that point.
Very few software companies in cannabis are not cloud-based, and when you are cloud-based anything can happen. Any company that says they cannot be a victim of a cyber-attack is, frankly, lying. We know that the most successful entities, companies, and even governments are being hacked.
You have to have your own practices for saving critical information, and the clients that have done that, when we’ve brought them back online, they tell us “I have all my sales transactions, I have all my patient records, I have all my inventory, because I saved a copy last week. Can we get that loaded in?”
Absolutely! Those clients came back much faster with our help getting that data reentered and uploaded for them. Something for everyone to learn coming out of this is that no matter the promises of the company—because a lot of our competitors are promising “this can never happen with us”—it can [happen]. No matter which provider or software you choose, you have got to protect your own records.
Why did some dispensaries close and others stayed open?
That’s an excellent question. What it boils down to is there was not a case where a dispensary had to close because of compliance reasons due to MJ Freeway not being operational. It was the choice of the business owners that it was too burdensome for whatever reason to operate without their MJ Freeway system. Those that did stay open in some cases had longer lines because what you had to do, when the system was still down, was to do paper records.
At the Portland dispensary I frequent, which is an MJ Freeway customer, the line was a little bit longer. I went in, they made copies of my driver’s license and med card, and they wrote down my order on a piece of paper. It was as fast for me as it is when they’re up and running on MJ Freeway. They didn’t have longer lines, but of course I know some of our clients did, because paperwork is slower than having our system available, especially for high-volume dispensaries. High-volume dispensaries had longer wait times and also had more inventory, meaning they might have needed to eyeball whether merchandise was in stock or not. That can be burdensome, but it really boiled down to the choice of that business owner whether they wanted to move forward using paper or wait until we got [their location] back online.
Is it possible that some of them could not identify their customers with absolute certainty?
As a business owner, the number-one thing you wanted to make sure you did while the system was down was remain in compliance with the law. What’s positive, and what a lot of dispensaries that stayed open did, was to go straight to their state’s compliance system and enter information directly into the system. You can also view information from those systems. For instance, if someone’s medical card is not current or is inactive, you can go and see how much the person purchased; if the state has limits on the amount a patient can buy in a certain timeframe. That information would be in the system, so there were ways to stay compliant and open while we were unavailable.
What happened to Nevada’s traceability system? What exactly does it do?
It was knocked offline and impacted the state’s entire ability to function with its cannabis program, so that was an obvious priority to get the Leaf Data system back online for Nevada, which we did very quickly.
Each state with a traceability program decides at what point along the seed-to-sale pipeline that they want to trace products. At those moments during the plant’s lifecycle they want you to give them data about the plant: height, yield, weight, who the plant goes to and in what form. Also, whose hands it touches. From cultivator to manufacturer to retailer, they want to know the chain of custody for the purposes of recall, but they also choose the most critical moments when diversion is most likely to happen. They want touchpoints on those moments to prevent diversion. The traceability system watches all of that because you are entering data into that system, and then things are flagged if they seem out of the norm.
What is MJ Freeway doing to prevent another hack of this scale and type?
There are things I can say and things I cannot say. We have put in specific measures that will bolster us against an attack that looks like this one. We had among the best defenses before, but we have vastly improved defenses now. No one in cannabis has defenses as high as we do at this point. It puts us head and shoulders above everyone else.
And something else we are doing that I think is very important is having a third-party security firm do at least an annual review of our security measures looking for any gaps or holes.
Does MJ Freeway assume any liability when a problem like this results in lost revenue for clients?
We’re doing several things for our clients. The first thing is getting everyone’s sites back online. All have been put back up in a more secure hosting environment with unparalleled defenses. The question we get is why it took so long. It took so long because we wanted to get people back up in this new environment, and also because we got people back online in individual one-on-one sessions, walking them through the set-up. It was laborious and took a long time. In a situation like this, there is going to be pressure to get back to normal, but you really cannot forgo security and caution for speed when you’re dealing this sort of sensitive data. Yes, it took longer than we wanted, but the one-on-one sessions were important to prioritize security and meet our clients’ individual needs.
Everyone is back up now?
Yes, that happened [January 16].
Another thing we’re doing is crediting all our customers for the month of January, and that is above and beyond what is in our contract. We really feel for our clients, and even though we were the victim of the attack, so were they. So, we want to help, and that’s the second thing we’re doing.
The third thing is to provide temporary staff for data entry. So, if [dispensaries] stayed open and used paper, we are paying for on-site temp staff to enter that data into the MJ Freeway system. We will cover the cost to get clients back up.
We also are working on a data-recovery effort, and are working with new regulators. We have notified every state’s regulatory leadership about the outage, and we have had webinars with Metrc, one of the primary traceability systems for most states. We have letters for clients to show to auditors in case they show up, that say MJ Freeway certifies they had an outage. We are also talking to auditors on our clients’ behalf.
What about the timing of this attack, with a new, possibly hostile administration coming into power? Steph Sherer from Americans for Safe Access says they’ll be watching and auditing the industry, and every company needs to behave above reproach. Do you feel a responsibility to do your part?
Absolutely. We are a responsible, ethical, and lawful company. To have these attackers do this criminal act that created such havoc for the industry and such ripple-effects makes me angry. I’m passionate about my company and our clients, but I’m also passionate about the industry, and that is true of MJ Freeway. We’ve been here since 2010, and at this moment in time, to be a part of this kind of negative noise and news in our industry—we don’t need it.
Yes, the timing bothers us. At a time when we were trying to improve our modality, improve our ethics, improve our ability to comply, it’s really upsetting.
Any final words for existing or potential clients?
We truly value every one of our clients, and we have been humbled by their support. The vast majority have remained with us. We are solid and strong and staying in business, despite the rumors circulating. We are staying in business for our clients, so anyone with any concerns about whether we will continue to be around: We absolutely will be. We’re not abandoning them or the industry.