Solomon Israel | MJ BizDaily
An independent cannabis retailer, who claims she tipped off the government-run Ontario Cannabis Store (OCS) wholesaler to a major breach of business data, said the leak could pose serious security risks to stores in Canada’s biggest adult-use cannabis market.
The leak of sensitive retailer data – affecting 1,200-plus regulated cannabis stores in the province – could pose challenges to retailers who sell store data to producers, suggested Jennawae McLean, founder and CEO of Calyx + Trichomes, which has two locations in Kingston, Ontario.
“But it’s more that it’s a safety and security risk, big time,” McLean added.
“And that it’s an egregious breach of trust, I would say.”
According to an OCS email to retailers that was reviewed by MJBizDaily, “the data was misappropriated, disclosed, and distributed unlawfully.”
McLean said that more than one month’s worth of data was released, which would make the breach more extensive than previously reported.
The data includes individual cannabis retailers’ sales, their inventory levels and other sensitive information.
McLean expects retailers will take legal action against the OCS, which serves as Ontario’s only cannabis wholesaler.
“For sure there’s going to be some sort of lawsuit brought forward, 100%,” McLean told MJBizDaily.
“I’ve been stewing about this for a month,” she continued.
“Definitely, my lawyer’s already involved, and I have at least 50 other independents who feel like they would want to take part in this as well.
“At this point, the OCS needs to correct this situation and leave us feeling like we can trust sharing our data with them.”
Data breach said to cover multiple months
The Ontario Provincial Police (OPP) confirmed it is investigating the matter and that criminal charges could be laid.
The data at the center of the probe could already be producing fallout in Ontario’s hotly competitive retail cannabis market.
McLean told MJBizDaily she learned about the leaked data at the start of April from another retailer, who told her the information was being used by larger retailers “to intimidate independents” and by licensed cannabis producers to choose “which stores to focus their energy on.”
Initially, McLean said, she didn’t believe the leaked data was real but nevertheless contacted the OCS and the provincial cannabis retail regulator, the Alcohol and Gaming Commission of Ontario (AGCO).
“They both said, ‘No, there was no data leak,’” McLean said.
On April 19, the same retailer messaged McLean with a photo of the dataset, showing her stores’ sales numbers for December.
After that, McLean said, she contacted her OCS district sales manager and filed a report with the AGCO.
Both agencies then started investigating, she said.
On April 21, a third party provided McLean with the full spreadsheet, and she confirmed that her sales numbers were accurate.
The leaked December spreadsheet has been viewed by MJBizDaily, which received it from an anonymous source.
It includes sensitive business information like monthly kilograms and units of cannabis sold, revenue, and inventory levels, all tied to store names and license numbers.
On May 5, McLean said a journalist shared with her another set of OCS data — this time, a spreadsheet showing Ontario retail cannabis store data for January.
MJBizDaily has not viewed the purported January data leak.
McLean said the misappropriated information poses serious problems for retailers.
“For us, for example, as a high-volume store, it’s a security risk to know literally how many kilograms I have in my stockroom and how much volume we’re doing and how much business we’re doing at our location,” McLean said.
“And then, on the other side of things, for retailers that aren’t doing so good, it’s pretty embarrassing. … Nobody wants this data out there.”
‘We should be able to trust that our data is being taken care of’
The OCS has told MJBizDaily that the data loss was not a breach of security or IT systems but, rather, the “data was misappropriated.”
McLean said that “somebody needs to take ownership and apologize for this criminal data breach” and that whoever’s responsible needs to be held to account.
She’s pleased that the OPP has launched an investigation.
“I hope that this comes to a resolution quickly and that we don’t see it again,” McLean said.
“I hope that infrastructure is put into place so this is avoided in the future, because this is not something that we should, as a private sector, be dealing with when we’re dealing with a government entity – we should be able to trust that our data is being taken care of.”