Cannabis retailer STIIIZY notifies 380,000 customers of data breach

Cannabis retailer Stiiizy yesterday confirmed it notified 380,000 people of an October 2024 data breach that compromised the following customer info:

• Info from government-issued ID cards including driver’s licenses and medical cannabis cards
• Transactions with dispensaries
• Names
• Addresses
• Dates of birth
• Passport numbers
• Photographs
• Signatures
• “Other personal information”

The attack was limited to California, where the following Stiiizy locations were breached:

• STIIIZY Union Square: 180 O’Farrell Street, San Francisco, CA
• STIIIZY Mission: 3326 Mission Street, San Francisco, CA
• STIIIZY Alameda: 1528 Webster St., Alameda, CA
• STIIIZY Modesto: 426 McHenry Ave., Modesto, CA

Ransomware gang Everest claimed responsibility for the attack, saying it stole 422,075 records. The group posted images of what it says are documents stolen from Everest. The group threatened to release the data in two additional posts published on Christmas and New Year’s Day.

STIIIZY has not verified Everest’s claim. We do not yet know whether Stiiizy paid ransom, how much Everest demanded, or how attackers breached Stiiizy’s network. Comparitech contacted Stiiizy for comment and will update this article if it replies.

“On November 20, 2024, we were notified by a vendor of point-of-sale processing services for some of our retail locations that accounts with their organization had been compromised by an organized cybercrime group. An investigation conducted by the vendor revealed that personal information relating to certain STIIIZY customers processed by the vendor was acquired by the threat actors on or around October 10, 2024 – November 10, 2024,” says Stiiizy’s notice to customers.

Stiiizy is offering eligible victims 12 months of free credit monitoring via Cyberscout. The enrollment deadline is April 7, 2025.

Who is Everest?

Active since 2020, Everest is a ransomware gang and initial access broker. Its victims include NASA, the Brazilian government, and multiple hospitals and clinics. The group went quite in 2022 and 2023 but resurfaced in 2024, when it claimed five confirmed ransomware attacks and 44 unconfirmed that haven’t been acknowledged by targets.

In 2024, Everest claimed responsibility for attacks on Gramercy Surgery Center (50,554 records), Nidec Precision Vietnam Corporation (50,694), Aspen Healthcare Services (8,000+), and Pacific Pulmonary Medical Group (unknown).

Ransomware attacks on US retail

Ransomware attacks on US retailers can close down stores, delay shipments, and cut off access to computers used for everything from payroll to phone and email systems. Attackers demand a ransom in exchange for a key to restore infected systems. They might also demand further ransom for not selling or publishing stolen data.

Comparitech researchers logged 23 confirmed ransomware attacks on US retailers in 2024, compromising 687,709 records. The attack on Stiiizy is the largest of the year. Others include MarineMax (123,494 records) and My Daily Choice (89,188).

About Stiiizy

Based in Los Angeles, California, Stiiizy is a store that sells cannabis products and its own brand of accessories. It operates 10 locations in California and Michigan.