On Sunday, Jan. 8, Waylon Broussard arrived at Cannabal City Collective, the medical marijuana dispensary he manages in downtown Los Angeles, to find that the software system was down. He thought it might be a brief outage for maintenance, but the cloud-based software hadn’t been restored by the time the store opened. As customers arrived, the budtenders started scribbling down orders.
“It was the exact same way for us,” said Corey Schwartz, who manages Coast to Coast Collective in Canoga Park.
Similar scenes played out across legal marijuana states. MJ Freeway, the Colorado company that is the largest provider of software to cannabis businesses — including grows, factories and shops — had suffered a major crash, crippling all of its customers, about 600 businesses, many with more than one location.
Government regulators in Nevada, who use MJ Freeway software, also saw their systems go dark. For MJ Freeway, the outage set off a feverish few days, says Jeannette Ward, executive director of data and marketing. She says that as the company tried to get customers back online, it also was boosting its own security. Restoring customers' systems often required individual, one-on-one conversations. (The Nevada system was back up in 24 hours.)
Convinced that the incident was caused by a malicious attack, the company referred the matter to Colorado authorities for a criminal investigation, which is ongoing. MJ Freeway did not refer the case to the FBI, since its customers operate in a federally illegal industry. “We don’t want to expose our clients to the feds digging around in this data,” Ward says.
MJ Freeway is keeping fairly tight-lipped about the attack, since a criminal investigation is underway. But the company believes the attacker’s goal was to destroy rather than steal data. This is unusual, since stolen data can be ransomed back to the owner or otherwise monetized.
After the outage, Schwartz's and Broussard’s dispensaries both lost MJ Freeway software for about a week. Everything budtenders had logged had to be re-entered into the system. Both companies at least had backups of their historical data, which MJ Freeway says it will not be able to fully restore to all customers.
“Small to midsize companies are easy targets” for cyberattacks, says Ray McKenzie, founder of Red Beach Advisors, a business consultancy in L.A. Smaller businesses often lack the money to hire cybersecurity experts. McKenzie suggests that attacks such as these can come from someone “scouring the internet looking for places to poke holes,” or perhaps a competitor.
Last month, Gov. Jerry Brown set aside $52.2 million to regulate cannabis, a substantial portion of which will go to software for the state to track legal marijuana. Proposals are due by the end of February and the state hopes to make a decision weeks later in order to have a functional system by Jan. 1, 2018.
MJ Freeway’s Ward estimates that the company is one of a handful competing for the contract, expected to be the biggest of its kind yet awarded and a stepping stone to future business.
“Timing-wise, this attack comes very close in timing to the [request for proposal] process and it seems to me awfully coincidental,” says Mark Mermelstein, an L.A.-based cybersecurity lawyer with the firm Orrick, Herrington & Sutcliffe, who has been enlisted by MJ Freeway. “You could imagine a scenario where a competitor, a bidder for this RFP, tried to disable one of the leading candidates to win this contract.”
Mermelstein says the attack on MJ Freeway could be a way to show the state that a competitor might have trouble keeping its clients’ data safe. “I don't know that this is the case, but it hangs together as a motive,” he says.
By now, MJ Freeway appears to have weathered the worst of the outage, though it expects to be restoring customer data for several more weeks. And while customers were inconvenienced, the company says its turnover for January was lower than in a normal month. “We couldn’t be more incredibly devastated by the impact it’s had on our clients,” Ward says.
A previous version of this story did not clarify that Nevada's system was only down for 24 hours.