MJ Freeway’s Lack Of Security Competence Spells Trouble For PA’s Confidential Patient and Business Data

Call it a hack. Call it an attack. Call it a breach. MJ Freeway is running out of spin these days


In case you aren’t familiar, MJ Freeway was selected by the PA Department of Health to exclusively provide “seed-to-sale” software for the Medical Marijuana Program.

This new breed of software is typically required by state governments in order to keep the feds from storming dispensaries in states that have legalized marijuana. Basically, MJ Freeway’s software allows the state to monitor where the marijuana is, who is buying it, how much, etc. You know, because it might get on the streets.


MJ Freeway also provides ERP-type software for marijuana businesses, though no one uses it. Not a soul.

In any case, MJ Freeway’s systems have been penetrated twice this year. The first one you can read about in one of our earlier posts. We essentially wondered why our state officials would choose a software vendor that was hacked during the bidding process, and chalked it up to an insane connection between MJ Freeways investors and marijuana lobbyists.


The latest gaffe takes a much more serious turn. Aaron Biros from Cannabis Industry Journal was one of few to report this month that MJ Freeway had been “compromised” yet again.

Portions of MJ Freeway’s source code were reportedly stolen and posted in Reddit threads as well as on Gitlab.com, a source code hosting website. On June 15th, the account “MJFreeway Open Source” was made on Gitlab.com, and portions of the source code were posted, but have since been taken down.

Of course, MJ Freeway was quick to respond with all the right answers:

“Last week we discovered that someone had obtained an outdated portion of MJ Freeway’s source code. This incident has absolutely no impact on our systems or MJ Freeway services, and client and patient data is not at risk. While this theft poses no risk to our clients, patients, or business operations, we take any incident involving unauthorized access very seriously and have reported it to the Colorado Bureau of Investigation.

Unfortunately, it has come to our attention that our competitors are spreading inaccurate information about the incident, including baseless claims about SSL info and the potential for client data being compromised – neither of which is true. We encourage our customers to contact us directly with any questions they may have.”

To be clear, we don’t believe they have ever referred a case to the CBI (which we will gladly retract in the event that they reveal the results of the last investigation) Alas, due to the sheer volume of emails we’ve received on this matter, we figured that it was time to drop some knowledge on ya. They lyin.

We have now received multiple confirmations that unscrupulous actors are indeed selling real patient and business data that was extracted from dispensaries operating in Nevada, where MJ Freeway also holds a state software contract. Dispensaries are reportedly receiving emails like this:

for sale: nevada.leafdatasystems.com customers tables

greetings we have great offer for you! thanks to site for post all code, we have obtain all data. you will find 2000 records of sample attached for your pleasure and trust. In total there is 56 thousands patient customers records to be paid for by you. we also has all records from sql table other than customers — strains, sales, plants, batches, areas and many more to list.

we think customers most value as u will grow you’re customers faster by reach out to already customers at other places. as you see also, we work with other group to add more better data. they help us clean, make data pretty and add more datas that are important. also….if u want user passwords to site……we have this too and if u want this we wont tell..we promise 🙂 🙂 🙂

all datas freshly download today 26.06.2017.

if u are interest plz write back and we work together for deal. we accept only bitcoin!!

Hearsay? Tell that to Brian Staffa, who’s had a firsthand look at the “records of sample”:

I have vetted the comment, and have seen the 2000 patient “sample list” and unfortunately it’s all very real.

Surely our state officials won’t stand behind THIS decision, right?





Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s