Cyber Intrusion Creates More Havoc for Washington State’s New Marijuana Tracking System

Other states’ seed-to-sale tracking systems have troubles of their own

Medical Marijuana spilling out of a jar
Photo: iStock Photo

Licensed marijuana product growers and retailers have been very unhappy with Washington State’s new “seed-to-sale” marijuana tracking system that went live on 1 February.

Buggy software has kept many suppliers from shipping their products because of manifest errors and, equally, retailers from accepting their orders. While Washington’s Liquor and Cannabis Board officials have insisted that the myriad software problems are being fixed or work arounds exist for most of them, it also has disclosed that the tracking system experienced a cyber intrusion.

In a letter to licensees, the Liquor and Cannabis Board stated that on 1 February someone downloaded a copy of the traceability database, which in turn affected key operations of the tracking system in a way the Board refused to disclose. The intruder was able to access information for four days of marijuana deliveries, including delivery-vehicle information together with type, license-plate number and VIN numbers. The Liquor and Cannabis Board said that since the latter information was publicly available and no personal information was accessed, there was no need for anyone to be concerned. Retailers and growers, however, were not exactly comforted by the Board’s reassurances.

Like most other states that have legalized marijuana in some form, Washington State requires that marijuana products be tracked from seed, or when it’s planted, to sale to a customer, so the state will have insights into the state of the market and movements of the products. The state, which allowed the retail sale of marijuana in 2014, initially used the software provided by BioTrackTHC. However, the company decided against bidding for the new contract when it was re-competed last year because of concerns with the proposed requirements.

Washington State selected Franwell’s METRC system as a replacement in May, but that company backed out a month later reportedly because of concerns it had with what the state required in terms of traceability. The state next selected MJ Freeway’s Leaf Data System in June, with an expected go-live date of 1 November 2017, but on-going technical problems delayed the start date first to 1 January and then to 1 February.

In light of the difficulties MJ Freeway was having, especially with creating the traceability database, the state asked BioTrackTHC to continue to provide its services after 1 November until MJ Freeway could complete its transition, but the company refused, in part because of its concerns about MJ Freeway’s cybersecurity not being entirely adequate. The concern seems valid in light of an cyberattack MJ Freeway suffered in January 2017 that targeted the company’s main databases and backups, rendering it unable to process and track transactions. A second security breach occurred in June that was attributed to a source code leak.

Washington’s Liquor and Cannabis Board has said when it thinks the Leaf Data System will be completely operating securely and reliably, but the longer it has problems, the greater the risk that illegal sales of marijuana by licensees may occur. Not only would that erode support of legalizing marijuana in states that are currently considering legalization, but more importantly from Washington State’s perspective, that would deprive the state of tax revenue. For instance, from July 2014 to November 2017, Washington State has collected $715 million on $3 billion in total sales involving marijuana products.

Illegal sales are not only a concern in Washington State, but in next-door Oregon, too. An audit [pdf] released last week into the state’s Cannabis Tracking System states that while the CTS is working, it also has eight IT security management issues that could result in the CTS being compromised. In addition, the CTS has data reliability issues and inadequate processes for managing the increasing number of marijuana applications and vendors that are licensed to operate in Oregon. The audit states, for example, that there are too few state inspectors to ensure that growers and retailers are in compliance with state law and that marijuana is not illegally being sold across state lines.

Oregon is currently producing three times as much marijuana than there is demand for, which raises concerns that the excess is being sold on the black market. While overproduction seems to be a problem in other states where marijuana sales are allowed, Oregon seems to have an acute problem that is concerning United States Attorney for the District of Oregon Bill Williams. Williams says that postal agents in Oregon reportedly seized 1200 kg of marijuana and $1.2 million in cash last year alone, while agents in Colorado have seized on 446 kg since 2013 in comparison.

Nevada and California have also had problems with their marijuana tracking systems. Nevada dumped the MJ Freeway Leaf Data System in September for rival Franwell’s METRC system in September 2017 some 18-months into MJ Freeway’s five-year contract with the state. No official reason was given for the switch. Superficially, it wasn’t for cost, since Nevada will be paying Franwell more than it was paying MJ Freeway. Speculation is that MJ Freeway’s security issues were a compelling reason for the change in vendor.

California was supposed to have a marijuana tracking system based on Franwell’s METRC system in place beginning 1 January 2018, but so far it is not truly operational even as state officials say that the system is “implemented.” California has only issued temporary 120-day licenses to growers and retailers, meaning that the holders of which do not have to use [pdf] the METRC tracking system. Instead, temporary license holders are supposed to manually track their sales invoices and shipping manifests for later compliance reviews. Only when they are issued annual licenses will California licensees be required to use METRC.

Exactly when annual licenses will be issued, California’s Bureau of Cannabis isn’t saying. Given that California expects to eventually pull in an estimated $1 billion a year in taxes on $7 billion of marijuana related sales, and the state is well-known aggressive tax enforcement, I can’t imagine California waiting too much longer before getting its tracking and compliance systems into operation. In addition, given that California is estimated to produce five to twelve times more marijuana than is consumed, a lack of a robust tracking system in place could lead to federal intervention.

As more states legalize marijuana, expect more tracking system related-issues, especially those involving cybersecurity and compliance enforcement. Like healthcare IT systems, marijuana tracking systems look to be very tempting targets to cybercriminals to exploit.

The Computing Technology Newsletter

Biweekly newsletter about advances in hardware, software and systems.

About the Risk Factor blog

IEEE Spectrum’s risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.