Cannabis Club Data Breach Exposes One Million Passport Records

Database Contained Passport Scans and Purchase Histories

The exposed database held 1.04 million passport images alongside timestamped purchase logs, membership application forms, and partial payment card data. Security firm TechGuard identified the misconfigured server during routine internet scans and notified the unnamed cannabis club operator on June 8. The club secured the database within 18 hours of notification, according to TechGuard's incident timeline.

The breach affected customers who submitted government-issued identification during membership enrollment between January 2024 and May 2026. Passport scans were stored as high-resolution JPEGs with full document numbers, expiration dates, and biometric photos visible. Transaction logs included product names, purchase amounts in euros and U.S. dollars, and timestamps accurate to the second.

TechGuard confirmed the database was indexed by at least two public search engines specializing in exposed cloud storage buckets. Forensic analysis found no evidence of malicious access prior to discovery, but the firm warned that absence of logs doesn't prove absence of intrusion.

Legal Exposure Under GDPR and State Privacy Laws

The breach triggers mandatory notification requirements under the EU General Data Protection Regulation and California Consumer Privacy Act, exposing the operator to fines up to 4% of global revenue. GDPR Article 33 requires breach notification to supervisory authorities within 72 hours of discovery when personal data compromise poses risk to individual rights. Passport scans qualify as sensitive biometric data under GDPR Article 9, carrying enhanced penalty exposure.

California law mandates direct notification to affected residents when Social Security numbers or government ID credentials are exposed. According to TechGuard's sample analysis, the database contained residential addresses for approximately 87,000 California customers. Class-action attorneys specializing in data breach litigation have already begun outreach to potential plaintiffs, according to court filing databases searched by CannIntel.

Cannabis operators face compounded legal risk because federal prohibition prevents access to mainstream cybersecurity insurance products. Standard commercial general liability policies exclude claims arising from federally prohibited activities. Most dispensaries and social clubs? Self-insured against breach liability.

Third Incident in Cannabis Retail This Year

This marks the third significant cannabis-sector data breach disclosed in 2026, following a February point-of-sale system compromise affecting 14 Colorado dispensaries and an April breach at a Canadian licensed producer. The pattern reflects systemic underinvestment in information security across an industry handling sensitive customer data while operating under regulatory frameworks that mandate ID verification and transaction logging.

State cannabis regulators in California, Nevada, and Massachusetts require dispensaries to scan and retain customer identification for compliance audits, creating centralized repositories of sensitive documents. Those mandates don't specify encryption standards, access controls, or breach notification protocols. Privacy advocates have flagged these gaps since 2018.

What happens next? European data protection authorities will decide whether to impose penalties severe enough to force industry-wide security upgrades. For context on cannabis operators' ongoing struggle with data privacy compliance, see the CannIntel topic hub on cannabis data breaches and privacy.