Already behind schedule, Washington state’s new seed-to-sale tracking system, known as Data Leaf Systems, opened on February 1 to immediate complaints. The database is reportedly filled with bugs — and now it has surfaced that the system was hacked in a cyber attack on Saturday, February 3.
Since November, when MJ Freeway announced the system would be ready by January 1, 2018, Washington has not had a government operated seed-to-sale tracking system. Shortly before the first deadline, MJ Freeway announced they would need another month to complete the project. Data Leaf Systems went live on February 1 and vendors were soon reporting they could not complete travel manifests. These manifests are required before any cannabis can be transferred in Washington, and are essential in keeping track of the flow of adult-use cannabis around the state.
A Washington State Liquor Control Board (LCB) spokesperson told Ganjapreneur the problems have been fixed and all indications show the manifest problem has been taken care of. He said the other problems are related to known bugs and are being addressed by a team working 24-hour shifts.
However, an email sent to licensees by LCB Deputy Director and Traceability Project Executive Sponsor Peter Antolin sheds more light on the manifest system issues, which may have been the result of the recent security breach. Antolin’s email detailed the incident:
The state’s vendor, MJ Freeway, became aware of the transfer abnormality on Saturday. The company immediately began a review and identified it as a potential security incident on
Monday. MJ Freeway immediately notified the WSLCB. The WSLCB then contacted the Washington State Office of CyberSecurity, (OCS), which examined the data taken to determine if it contained personally identifiable information …. The information captured by the intruder does not contain personally identifiable information, such as names and social security numbers.
The cyber attack was able to gean the route information of industry manifests filed between February 1-4 and transporter vehicle information, including VIN, license plate number, and vehicle type. The Data Leaf Systems database does not include driver or driver license information. In fact, the majority of the compromised information is already publicly available.
The LCB has alerted the Washington State Office of Cyber Security (OCS), who examined the data taken to determine if any personal info was compromised, and there is an ongoing security investigation into the hack. The LCB is advising all licensees to review their travel arrangements and take appropriate action to protect their businesses.
Antolin concluded his email:
The bottom line is that this incident is unfortunate. There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system. Know, however, that we will continue to take necessary steps to protect all traceability information.