MJ Freeway’s Lack Of Security Competence Spells Trouble For PA’s Confidential Patient and Business Data

Call it a hack. Call it an attack. Call it a breach. MJ Freeway is running out of spin these days

hacked

In case you aren’t familiar, MJ Freeway was selected by the PA Department of Health to exclusively provide “seed-to-sale” software for the Medical Marijuana Program.

This new breed of software is typically required by state governments in order to keep the feds from storming dispensaries in states that have legalized marijuana. Basically, MJ Freeway’s software allows the state to monitor where the marijuana is, who is buying it, how much, etc. You know, because it might get on the streets.

111108reefer

MJ Freeway also provides ERP-type software for marijuana businesses, though no one uses it. Not a soul.

In any case, MJ Freeway’s systems have been penetrated twice this year. The first one you can read about in one of our earlier posts. We essentially wondered why our state officials would choose a software vendor that was hacked during the bidding process, and chalked it up to an insane connection between MJ Freeways investors and marijuana lobbyists.

influence

The latest gaffe takes a much more serious turn. Aaron Biros from Cannabis Industry Journal was one of few to report this month that MJ Freeway had been “compromised” yet again.

Portions of MJ Freeway’s source code were reportedly stolen and posted in Reddit threads as well as on Gitlab.com, a source code hosting website. On June 15th, the account “MJFreeway Open Source” was made on Gitlab.com, and portions of the source code were posted, but have since been taken down.

Of course, MJ Freeway was quick to respond with all the right answers:

“Last week we discovered that someone had obtained an outdated portion of MJ Freeway’s source code. This incident has absolutely no impact on our systems or MJ Freeway services, and client and patient data is not at risk. While this theft poses no risk to our clients, patients, or business operations, we take any incident involving unauthorized access very seriously and have reported it to the Colorado Bureau of Investigation.

Unfortunately, it has come to our attention that our competitors are spreading inaccurate information about the incident, including baseless claims about SSL info and the potential for client data being compromised – neither of which is true. We encourage our customers to contact us directly with any questions they may have.”

To be clear, we don’t believe they have ever referred a case to the CBI (which we will gladly retract in the event that they reveal the results of the last investigation) Alas, due to the sheer volume of emails we’ve received on this matter, we figured that it was time to drop some knowledge on ya. They lyin.

We have now received multiple confirmations that unscrupulous actors are indeed selling real patient and business data that was extracted from dispensaries operating in Nevada, where MJ Freeway also holds a state software contract. Dispensaries are reportedly receiving emails like this:

for sale: nevada.leafdatasystems.com customers tables

greetings we have great offer for you! thanks to site for post all code, we have obtain all data. you will find 2000 records of sample attached for your pleasure and trust. In total there is 56 thousands patient customers records to be paid for by you. we also has all records from sql table other than customers — strains, sales, plants, batches, areas and many more to list.

we think customers most value as u will grow you’re customers faster by reach out to already customers at other places. as you see also, we work with other group to add more better data. they help us clean, make data pretty and add more datas that are important. also….if u want user passwords to site……we have this too and if u want this we wont tell..we promise 🙂 🙂 🙂

all datas freshly download today 26.06.2017.

if u are interest plz write back and we work together for deal. we accept only bitcoin!!

Hearsay? Tell that to Brian Staffa, who’s had a firsthand look at the “records of sample”:

I have vetted the comment, and have seen the 2000 patient “sample list” and unfortunately it’s all very real.

Surely our state officials won’t stand behind THIS decision, right?

C0wKRZhVQAAgp9r

WE ARE WATCHING

-PAMMJW

PA Dispensary Application Scorecards In Spreadsheet Format

dispscores

PA just announced the Dispensary Permit winners, and here’s the results tabulated in google sheets for download. Or you can just copy and paste it into excel.

https://drive.google.com/open?id=10ET6d3eEKXWMm30ga2X3qOr0jPapfhDbzDGwPpJphmQ

First impression – looks like a lot of applicants were rejected prior to scoring (see tab “NotScored”)

-PAMMJW

How Pennsylvania Gamed The Medical Marijuana Permitting Process – Part I

There’s Something Rotten in the City of Harrisburg

We need some number crunchers to look through the score cards, as they appear to be phony or altered. Here is a link to the scores in a spreadsheet:

https://drive.google.com/open?id=1vyzJDH5b3NQZzKOsd1V3poim4f9Bcqxy90pLYmjCEyA

Red Flag #1

Section 21 – Quality Control and Testing For Potential Contamination from the Grower/Processor Application, is a single yes or no checkbox:

QCThat’s literally the whole section. It is worth 50 points.

Just so that we are clear, the Department verified this point of confusion in their Question & Answer documents:

QA.png

Given a question with only two possible answers, one would expect to see something like this as a result:

QCscores

Instead, the scores for this category are somehow a range of 2 point decimal figures, and the highest scores show a strong correlation with the highest TOTAL scores, mostly the permit winners (sorted by High to Low by Quality Control Score):

QCActual.png

Seem fishy? That’s why we need your help. Dig into that spreadsheet and expose this sham!

WE ARE WATCHING

-PAMMJW

 

 

Winning Permit Applications For PA MMJ Growers Released [Transparency Overload]

For your convenience, here’s a summary of all 12 permit applications:

rwg

Love the fully redacted docs being released in the name of transparency! You can’t make this up.

 

Here are the applications that have been released:

GP-1005-17 (Prime Wellness, Berks County)

GP-1017-17 (Franklin Labs, Berks County)

GP-2018-17 (Pennsylvania Medical Solutions, Lackawanna County)

GP-2020-17 (Standard Farms, Luzerne County)

GP-3010-17 (Ilera Healthcare, Fulton County)

GP-3023-17 (AES Compassionate Care, Franklin County)

GP-4002-17 (Terrapin Investment Fund 1, Clinton County)

GP-4006-17 (GTI Pennsylvania, Montour County)

GP-5012-17 (AGRiMED Industries, Greene County)

GP-5016-17 (PurePenn, Allegheny County)

GP-6009-17 (Holistic Farms, Lawrence County)

GP-6012-17 (Cresco Yeltrah, Jefferson County)

More @Pennlive http://www.pennlive.com/politics/index.ssf/2017/06/read_the_pa_medical_marijuana.html

-PAMMJW

 

 

 

 

Loookuing

BREAKING: PA Medical Marijuana Grower/Processor Permits Will Be Announced Tomorrow (6/20)!

Confirmed by Sacks Weston and Diamond here https://cannabislaw.report/pennsylvania-office-of-medical-marijuana-to-announce-first-grower-license-recipients-tueday/

Tuesday 20 June  at 1pm, John Collins, the Director of the Office of Medical Marijuana, will hold a press briefing to announce the recipients of the first twelve permits to grow and process medical marijuana in Pennsylvania, and provide additional information about implementation progress to date. Attendance will be limited to those with press credentials, but a live stream of the event will be available at http://pacast.com/players/live_doh.asp.

 

 

460 Applications Make The Cut as PA Dept of Health Announces Medical Marijuana Permit Finalists

Since the DOH insists on releasing public documents as PDF files, here’s both lists in Google Sheets format for your convenience.

whew

List of Grower Processor Applicants from DOH MMJ Program Site (177 total)

List of Dispensary Applicants from DOH MMJ Program Site (283 total)

With only a few weeks remaining until they announce the winners, the Department of Health has posted the finalized lists of Grower/Processor and Dispensary permit applicants.

Highlights:

Best Business Name:

younameit2

Worst Business Name:

NA

Most Applications Submitted Overall

  • Cansortium Pennsylvania, LLC – 10 applications (4 Grower/Processor, 6 Dispensary)
  • GTI Pennsylvania, LLC – 10 applications (4 Grower/Processor, 6 Dispensary)

Most Grower/Processor Applications Submitted

GP

Most Dispensary Applications Submitted

Disp

Interestingly, some businesses that were previously listed are now missing from the final list. We won’t name them cuz that’s gotta hurt.

ADB_4761-CLR-1-240x300

Until winners are announced at the end of the month…

We are watching

-PAMMJW