Industry Updates Markets News Business Human Resources Legal Management Retail Security
Cannabis security expert, David Hyde, addresses glaring questions surrounding recent OCS data breach

“We don’t know what happened here and there’s no such thing as perfect security, but it does raise questions about how secure the data is that OCS has stewardship over.”

On May 10, the Ontario Cannabis Store (OCS) confirmed the OPP’s investigation of a breach in confidential data “after some [OCS] sales data was ‘misappropriated.’”

In a phone call with Grow Opportunity, David Hyde, a cannabis security and consultant expert, and CEO of Hyde Advisory, said that “what we know is that there’s been a bunch of competitive information released but it’s not personal information; nothing that the privacy commission would be involved in.”

Essentially, it is not personal info and it’s not financial data, like credit card info or customer data, but it is still confidential and sensitive data relating to cannabis retail stores and their boardroom habits, the volume they’re ordering at, and the level of inventory they close out with.

For Hyde, this raises a number of concerns because it allows any retailer out there to see how their competition is doing, which products, what volumes, how much they’re selling, the cadence of their ordering, and so much more.

By law, there’s a legal obligation to disclose, under PIPEDA, when someone has been impacted by a data breach, however, PIPEDA does not apply to commercial data like this.

It’s hard to know who could have done this, but Hyde asserts it had to be somebody who had the access credentials to be able to get the universal view of the data.

“I would also question,” says Hyde, “how long did the OCS know about this breach before it was made public? My understanding is that they didn’t make it public, I believe it was the AGCO that ended up inadvertently referencing it somewhere and then OCS had no option but to answer the press…OCS answered very narrowly and they never made a press release about it. Now that it’s been released, it is out there and they can’t control any of it, who has it, which hands it’s gotten into, how it’s being spread or used.”

“I think that’s a low to moderate risk,” asserts Hyde. “I don’t think organized crime is at the root of this and they did it for those reasons, I don’t think that’s the case. But if this data falls into the wrong hands, certainly a criminal enterprise or a criminal could target stores moving a high volume of product. We don’t know what happened here and there’s no such thing as perfect security, but it does raise questions about how secure the data is that OCS has stewardship over.”