Cannabis is an emerging industry with stratospheric growth expectations. Like the California Gold Rush, the dot-com boom and every other new market with boundless potential, the cannabis industry also has the tendency to attract some sketchy characters with dubious motives.
Security experts have long warned that the cannabis industry is susceptible to both cybercriminal and fraudulent activities. It’s not exactly the Wild West anymore: Businesses and state-legal markets have matured. But risks and concerns about criminal activity and fraud haven’t waned.
Just weeks into 2020, the cannabis industry has been the subject of several high-profile incidents: a reported dispensary point-of-sale system hack that potentially exposed the data of 30,000 people; the US Securities and Exchange Commission charging two men who allegedly used a fake cannabis company as a front for a Ponzi scheme; and the conviction of a former Colorado cannabis entrepreneur in one of the state’s largest fraud cases.
“These industries are targets just because they’re new and there is lots of controversy — whether it’s political or social — with some of the things they’re doing,” Michael Bruemmer, the vice president of data breach resolution and consumer protection for consumer credit reporting company Experian, told CNN Business.
Experts are cautioning companies to shore up their security practices and for consumers to be mindful of opportunities that seem too good to be true.
Cannabis’ emerging market status makes it a prime target fraud, said Jodi Avergun, a former federal prosecutor and DEA chief who now heads law firm Cadwalader, Wickersham & Taft’s white-collar defense and investigations group.
“Consumer and retail investors are not taking appropriate precautions,” she said.
The cannabis industry is teeming with interest and speculation, she said. Most cases brought by the US Securities and Exchange Commission involve operations that purport to be cannabis businesses but instead are schemes — typically of the Ponzi and pump-and-dump variety, she said.
The recent cannabis cases include allegations of a Ponzi scheme tied to a fictitious cannabis company and charges of securities fraud tied to an alleged criminal ring in Colorado.
“The unscrupulous people who have always existed — the out-and-out fraudsters — take advantage of investors who want to make a buck quickly,” Avergun said.
Although cannabis remains illegal under federal law and largely unregulated, some federal agencies continue to keep a close watch for potential nefarious activity. The US Federal Bureau of Investigation last year warned that it saw a “public corruption threat emerge in the expanding cannabis industry,” and agencies such as the SEC have sought criminal charges.
In 2014, when Colorado and Washington State started selling recreational cannabis, the SEC suspended several cannabis stocks and issued an investor alert to warn of questionable practices, alleged illegal stock sales and market manipulation. The agency issued yet another investor alert in 2018 highlighting past enforcement actions and continued warnings.
The SEC Office of Investor Education and Advocacy “regularly receives complaints about marijuana-related investments, and the SEC continues to bring enforcement actions in this area,” the SEC warned then. “If you are thinking about investing in a marijuana-related company, you should beware of the risks of investment fraud and market manipulation.”
The hype — and potential for fraudulent investing schemes — may have abated in recent months as valuations have sunk and companies have restructured to ensure near- and long-term stability.
“But as soon as demand returns, so will the opportunistic fraudsters who seek to take advantage of those who see dollar signs in the cannabis industry,” Avergun said.
Experian’s “Data Breach Industry Forecast” for 2020 predicted that emerging industries such as cannabis, green energy and cryptocurrency would be increasingly become targets for cyberattacks. In 2019, these industries accounted for fewer than 10% of the breaches tracked by Experian, but they remain vulnerable because they’re emerging industries, Experian’s Bruemmer said.
“These controversial industries make great targets because they’re more focused on growing their business and starting up than they are necessarily putting the appropriate focus on cybersecurity,” he said.
Three years ago, a leading seed-to-sale tracking software provider was hit with two cyberhacks in a six-month period. The incidents consisted of a “sophisticated sequence of malicious attacks directed against the company,” an attorney for the targeted company MJ Freeway, now named Akerna, said at the time.
The company spent at least $200,000 to upgrade its cybersecurity and enterprise software capabilities following the 2017 breaches, according to financial filings made with the SEC.
Jessica Billingsley, chief executive officer of Akerna, told CNN Business in December that the company no longer uses the software targeted in the attack and the next generation program is far more robust.
In January, internet security researchers for vpnMentor reported a breach at THSuite, a cannabis point-of-sale provider. The vpnMentor researchers said that more than 30,000 individuals had their information exposed, including photo IDs, addresses and protected health information.
Officials for THSuite did not return multiple calls and emails for comment. Some of the dispensary clients identified in the vpnMentor report told CNN Business that they were quickly taking action to determine how much of their customers’ information might have been affected.
RJ Starr, compliance director for Bloom Medicinals, said he was aware that his company’s technology vendor experienced a data breach and was conducting a thorough investigation.
“Once we’ve identified any affected patients, we will notify each individual patient and follow HIPAA breach notification protocols,” Starr said. “Bloom Medicinals serves tens of thousands of patients in multiple states, and we take patient privacy very seriously. Rest assured, we will implement any corrective action necessary to both remedy and ensure that this doesn’t happen again.”
Consumers and companies can be proactive in protecting themselves from fraud and cybercriminal activity, Avergun and Bruemmer said.
Avergun said that consumers should check the price history of companies’ stocks and research the background of the advisers and executives who are selling shares and running the company.
“If it sounds too good to be true, it probably is — as with any investment,” she said.
As for business investors, it comes down to due diligence.
“There is nothing to substitute for adequate research into company financials, its state compliance policies and processes, and its management before investing in an emerging cannabis company,” she said, noting to be aware of special state-specific risks. “If a manager or owner of a cannabis company was previously operating before cannabis was state legal, that causes problems with licensing in state and may raise the risk of federal prosecutions.”
Bruemmer highlighted three key tips for companies to button-up their security: Ensure that everyone — not just the information technology experts — keeps data security in mind and not make simple mistakes such as clicking on a nefarious link; research and employ credible security technology but don’t be reliant on solely the software; have a proactive plan in place if a security breach occurs.
“A lot of businesses think about it as an after-thought,” he said. But they should pre-plan.”