Personal Info on Marijuana License Applicants Doxxed by Wash. State
Accidentally leaked credentials; Data dump; Insider attack
The Washington State Liquor and Cannabis Board accidentally distributed sensitive data on applicants in response to a public records request.
The LCB had redacted the documents for the records request, but a folder containing the personal information inadvertently was included.
The data was provided to requestor John Novak, a Washington activist who runs a website -- 420 Leaks -- that is critical of the agency.
Novak said he requested documents related to marijuana applications filed under a recently enacted law.
Novak posted the problematic files on 420 Leaks in early May, where anybody could access them. Novak said he subsequently received a phone call from the agency explaining the situation, as well as asking him to delete the records from his website and any copies in his possession.
Novak said he deleted the records from his website, but did not agree to delete his personal copies. “I checked the logs to see if anybody downloaded it, but the logs didn’t go back that far. I know some of our research team downloaded them. A lot of press got the original link," Novak said.
LCB spokesman Brian Smith said, “When we realized that info had been released to Mr. Novak, he was contacted and asked to take that information down from the website and to destroy what he had and we would provide a redacted version. It’s my understanding that this has happened."
The agency says it is working to notify affected individuals.
The exposed data may include Social Security numbers, driver’s license numbers, financial information, tax information and attorney-client privileged information.
The Cannabist reviewed some of the new, redacted files on the agency’s download site, and discovered an unredacted Social Security number. The agency was notified about the apparent error. “I’ll go back and talk to our public records people about that,” Smith said.
Novak said: “I’m not interested in people’s social security numbers or personally-identifying information. I’m concerned about the leak of the information. It’s a massive leak of privacy that should never have happened.”
Novak is concerned about a regulation that will have medical cannabis patients voluntarily register with the government. “The state is trying to start a registry with patient information on the authorization form that the state is going to put into a database beginning July 1,” Novak said.
According to state information about the Cannabis Patient Protection Act (SB 5052) on Gov. Jay Inslee’s website, “Privacy will be ensured at the highest possible level, and the database does not in any way violate" the Health Insurance Portability and Accountability Act.
Government (U.S.); Healthcare and Public Health
June 7, 2016
Link to report
location of breach
Olympia, WA, United States
location of perpetrators
Olympia, WA, United States
date breach occurred
Early May 2016
date breach detected
Between Early May 2016 and June 7, 2016