OLYMPIA – The Washington State Liquor and Cannabis Board (WSLCB) today reported that the online marijuana traceability system was disrupted after a computer vulnerability was exploited on Saturday Feb. 3, 2018. The exploitation allowed an intruder unauthorized access to the system, which is maintained on servers managed by a vendor, MJ Freeway.
State officials say there are indications a copy of the traceability database was taken. The security incident also disrupted inventory transfer data for some users. This is one root cause of the transfer/manifest disruptions experienced between Saturday and Monday. The vulnerability that led to the incident has been corrected.
The state’s vendor, MJ Freeway, became aware of the transfer abnormality on Saturday. The company immediately began a review and identified it as a potential security incident on Monday. MJ Freeway immediately notified the WSLCB. The WSLCB then contacted the Washington State Office of CyberSecurity, OCS, which examined the data taken to determine if it contained personally identifiable information, PII.
No Personally Identifiable Information Released
The OCS review, completed Wednesday, found no PII, such as names or social security numbers in the data provided by the vendor. However, out of caution, the WSLCB notified licensees of the incident.
The WSLCB and MJ Freeway continue to implement strategies to prevent future intrusions. This includes full logging and monitoring and working with third-party entities. Since this remains an active investigation, details on incident specific security actions are not publicly available.