One Million Passports Exposed via Compromised Cannabis Dispensary ID‑Verification System
What Happened — A database used by cannabis dispensaries to verify customers’ identities was breached, leaking nearly one million passport records from multiple countries. The breach originated in a low‑value ancillary authentication system, but the exposed data are high‑value government‑issued credentials.
Why It Matters for Compliance & Audit Readiness
- Passport data are classified as personally identifiable information (PII) under GDPR, CCPA, and many national privacy regimes; a breach triggers mandatory notification, DSAR handling, and potential fines.
- SOC 2 privacy (CC) and security (SC) criteria require documented controls for data collection, storage, and third‑party risk; this incident shows the need for continuous evidence that those controls are enforced.
- Verisq’s CookiePLUS capability helps organizations prove consent management, DSAR readiness, and privacy‑by‑design evidence to auditors and regulators.
Who Is Affected – Cannabis‑retail operators, their identity‑verification vendors, passport‑issuing authorities, and any individual whose passport data were stored in the compromised system.
Recommended Actions
- Map the breach to SOC 2 CC‑1.2 (Privacy for PII) and SC‑2.1 (Logical Access Controls); collect logs, access reviews, and vendor contracts as audit evidence.
- Conduct a privacy impact assessment (PIA) for the ID‑verification service and update consent/retention policies to align with GDPR/CCPA.
- Initiate DSAR response drills and verify that your CookiePLUS consent logs can be exported on demand.
Technical Notes – The attack vector appears to be a compromise of the dispensary verification platform, likely through a web‑application vulnerability or misconfiguration that allowed attackers to exfiltrate the stored passport dataset. No specific CVE was disclosed. Source: Schneier on Security