The data breach included social security numbers, drivers license numbers, and tax records.
The data breach included social security numbers, driver's license numbers, and tax records. Blablo101/Shutterstock

Oh boy. The Washington State Liquor and Cannabis Board (WSLCB) has made an incredibly embarrassing mistake: the accidental disclosure of a bunch of sensitive personal data on pot license applicants. The WSLCB admitted the mistake to the Cannabist on June 7, and said the leaked information may include tax records, social security numbers, driver’s license numbers, attorney-client privileged communications, financial information, and guilty musical pleasures. (Just kidding, your Katy Perry addiction is still a secret!)

The leak happened in early May as a result of a public records request filed by John Novak of the Washington cannabis watchdog site 420 Leaks. Novak was seeking information on I-502 retail applications from medical collectives. According to the Cannabist, the WSLCB first sent Novak the wrong records and asked him to delete them. But then, instead of sending the requested licensee information with appropriate redactions, the WSLCB accidentally sent the un-redacted versions of those files.

Novak said he posted the records online without realizing just how much sensitive information they contained. He had also sent a link to the files to various people in the media.

As soon as it discovered the breach, the WSLCB asked Novak to remove the records, which he did. Regardless, the genie is out of the bottle, so now the WSLCB is doing damage control. Brian Smith, the WSLCB’s communications director, told the Cannabist that the agency is currently contacting all affected licensees to alert them of the breach.

But Novak said personal information is still at risk because the original batch of records contained various active links to the WSLCB’s DocuSign account, which is used to process I-502 applications and contains the same sensitive personal data as the un-redacted emails.

No password protections at all,” he said. “That means that anybody in the past who has gotten any of these public records would potentially have received the same links that I got and the WSLCB obviously doesn’t realize that these links are live, going to these completely un-password-protected documents.” After a cursory look, he said he found about six links in about 100 emails, and noted that there were more than 1,300 total emails. He said it would take only basic hacking skills to gain access to other documents on that DocuSign server.

“Those unprotected files are pretty much open season for anybody who has half a brain as far as hacking goes,” he said. “Once a hacker knows the server that documents are located on, they can use different hacking tools to then find other unprotected documents and unprotected folders on the server. That’s where the possibility is that a massive leak has occurred.”

However, the WSLCB does realize that the links are live, they just can’t do anything about it yet. “DocuSign has refused to remove their live links while they are still in queue,” Smith said. “We contacted the three individuals who were affected by the DocuSign links still being active yesterday and worked with them to disable the links on their end. These links are restricted to three individuals and four files.” As for Novak’s concerns about hacking, Smith said the WSLCB’s IT department has assured him that all other licensee data is safe.

Novak is a vocal opponent of the soon-to-be-implemented Cannabis Patient Protection Act, which folds the state’s medical marijuana system into the recreational one, including the management of a state-run registry of medical marijuana patients. Novak characterized the data breach as an argument against the law’s implementation. “If the LCB can’t keep the personal information of 502 applicants safe,” he wrote in an announcement, “there’s no way the state is ready to handle a huge new database of medical documents inside retail marijuana stores.”

However, it’s important to note that the WSLCB has no direct control over the patient registry. The registry is actually run by the state Department of Health (DOH), and held to a much higher standard of privacy than records subject to the average WSLCB public records request, according to Kristi Weeks, the DOH’s legal services director and one of the registry’s chief architects.

“The database is exempt from public disclosure, and the information is only released after very careful scrutiny,” she said. Records, she continued, “may [only] be released in aggregate form with all personally identifying information redacted for the purpose of statistical analysis and oversight of agency performance and actions.” As for the WSLCB’s level of access to the database, Weeks says it’s limited.

“The law grants the LCB access to the database for two reasons only,” she said. “The first is in their role of law enforcement, which allows them to validate a card that is presented to them. The second is to verify that sales-tax-free sales were actually made to a patient with a card. This will entail the patient’s database ID number (and no other information) being entered at the point of sale.”

Novak said he still isn’t comfortable with the state’s handling of sensitive records. He noted that a recent data breach affected 91,000 patients in the state’s Apple Health program. He added that one of the major points of vulnerability in the patient registry is at the level of cannabis retailers, which will be responsible for entering sensitive data into the system.

“If the WSLCB’s public records officers are having this kind of problem, what kind of faith should we be putting in these 502 recreational shops where we’re supposed to take in our authorization form and hand it over to them?” he said. “If the WSLCB can’t keep track of their own information, how are we supposed to have any faith in those stores to handle our documents?”

To be fair, retail cannabis employees handling sensitive authorization documents will have to complete a twenty-hour Medical Marijuana Consultant (MMC) training course that includes at least two hours of privacy training. Seattle Central’s MMC course includes instruction by Nicole Li, an attorney with extensive experience in medical cannabis and a noted patient-privacy advocate. Hopefully, the state’s medical marijuana consultants are properly trained and protect patients’ sensitive data. But, as Novak noted, “It’s all theory right now.”