A cannabis tech company has exposed millions of records containing the private data of employees working at cannabis dispensaries.
Würk, a Colorado-based HR platform for providing payrolls, managing the workforce, and compliance for the cannabis industry, exposed 2.5 million records which included the private data of its users.
Cybernews research showed that the exposed data included records with cannabis dispensaries' employee payrolls, addresses, dates of birth, and employment details such as start and termination. The leaked data also included encrypted Social Security numbers.
The leak was caused by a misconfiguration on MongoDB, a document-oriented database platform, that left Würk’s data passwordless and publicly accessible.
According to Bob Diachenko, a cybersecurity researcher who first identified the leak, the data exposure incident poses a significant threat due to the sensitive nature of the compromised information.
“This breach could enable threat actors to engage in identity theft, financial fraud, or targeted phishing attacks, posing serious risks to the affected employees' personal and financial well-being, says Diachenko.
He also adds that the exposure of employment details may lead to malicious activities such as unauthorized access to company systems or potential exploitation of regulatory vulnerabilities, further emphasizing the gravity of the situation.
At the time of writing, the exposed data has already been secured. In an official comment, Würk claimed that the client’s data had not been compromised. The company urged its clients to communicate directly with them regarding any concerns or inquiries they may have.
"At Würk, the security and privacy of our client's data are our top priorities. Any potential data incident is treated with the utmost seriousness, which prompted us to initiate a comprehensive investigation in December with our third-party developer, who manages MongoDB. After a thorough examination, we can confirm that no substantial information was compromised, making these claims false and misleading,” said the company's spokesperson.
Updated on February 23rd, 2024: "2.5 million affected users" changed to "2.5 million exposed records with private user data."
More from Cybernews:
Subscribe to our newsletter