Massive Data Exposure: Over 985,000 Photo IDs Left Unprotected in Cannabis Club Software Breach
Security researcher Sammy Azdoufal uncovered a severe data exposure involving over 985,000 photo IDs, including passports, driver’s licenses, and personal details, left publicly accessible on the internet due to critical security flaws in software used by cannabis clubs in Spain. The breach, discovered in May, stemmed from Cannabis Club Systems (CCS), an Irish company formerly known as Nefos Solutions, which provides verification and management software for cannabis clubs.
Azdoufal, who previously exposed vulnerabilities in DJI robot vacuums and baby monitors, found that CCS’s systems stored sensitive documents at unprotected public URLs, requiring no authentication to access. The exposed data included names, phone numbers, home addresses, cannabis consumption habits, and even selfies affecting visitors from over 30 countries, including 30,000 U.S. citizens and reportedly some celebrities.
The issue originated from CCS’s PuffPal app, which clubs used for member verification via QR codes. Azdoufal’s investigation revealed hardcoded Stripe API keys, unsecured admin portals, and weak club passwords that could be cracked with minimal effort. Even after initial fixes, CCS temporarily re-exposed data to accommodate club complaints, prioritizing functionality over security.
Following pressure from Azdoufal and media inquiries, CCS shut down PuffPal and vulnerable APIs on June 10, securing the exposed IDs. The company has since reported the breach to Ireland’s Data Protection Authority (DPC), though it missed the 72-hour GDPR disclosure deadline, risking fines. CCS co-founder Andreas Nilsen acknowledged the lapse, blaming an outsourcing firm, 9Series, for the flawed development but taking responsibility for the oversight.
While Nilsen claims no evidence of malicious access beyond Azdoufal’s findings, the incident highlights widespread risks in third-party software security, echoing a similar breach last month where a UK visa portal exposed 100,000 passports via unsecured URLs. CCS plans to replace PuffPal with a independently audited app and has severed ties with 9Series.
Source: https://www.theverge.com/tech/947157/passports-data-breach-cannabis-club-systems-nefos-puffpal
CCS (Cannabis Club Systems) cybersecurity rating report: https://www.rankiteo.com/company/ccs-cannabis-club-systems-
"id": "CCS1781130576",
"linkid": "ccs-cannabis-club-systems-",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Cannabis clubs in Spain, '
'visitors from over 30 countries '
'(including 30,000 U.S. '
'citizens)',
'industry': 'Cannabis, Verification & Management '
'Software',
'location': 'Ireland',
'name': 'Cannabis Club Systems (CCS) / Nefos Solutions',
'type': 'Software Provider'}],
'attack_vector': 'Unsecured public URLs, hardcoded API keys, weak passwords',
'data_breach': {'file_types_exposed': ['Images (photo IDs, selfies)'],
'number_of_records_exposed': '985,000',
'personally_identifiable_information': 'Yes (names, '
'addresses, phone '
'numbers, government '
'IDs)',
'sensitivity_of_data': 'High (PII, government-issued IDs)',
'type_of_data_compromised': ['Photo IDs (passports, driver’s '
'licenses)',
'Names',
'Phone numbers',
'Home addresses',
'Cannabis consumption habits',
'Selfies']},
'date_detected': '2024-05',
'date_resolved': '2024-06-10',
'description': 'Security researcher Sammy Azdoufal uncovered a severe data '
'exposure involving over 985,000 photo IDs, including '
'passports, driver’s licenses, and personal details, left '
'publicly accessible on the internet due to critical security '
'flaws in software used by cannabis clubs in Spain. The breach '
'stemmed from Cannabis Club Systems (CCS), an Irish company '
'formerly known as Nefos Solutions, which provides '
'verification and management software for cannabis clubs. The '
'exposed data included names, phone numbers, home addresses, '
'cannabis consumption habits, and selfies affecting visitors '
'from over 30 countries.',
'impact': {'brand_reputation_impact': 'Significant (public exposure, GDPR '
'violation risk)',
'data_compromised': '985,000 photo IDs (passports, driver’s '
'licenses), names, phone numbers, home '
'addresses, cannabis consumption habits, '
'selfies',
'identity_theft_risk': 'High (exposed PII, photo IDs)',
'legal_liabilities': 'Potential GDPR fines, regulatory '
'notifications',
'operational_impact': 'PuffPal app and vulnerable APIs shut down',
'payment_information_risk': 'Potential (hardcoded Stripe API keys)',
'systems_affected': 'PuffPal app, CCS verification and management '
'software'},
'investigation_status': 'Resolved (PuffPal and APIs shut down)',
'lessons_learned': 'Third-party software security risks, importance of '
'independent audits, prioritizing security over '
'functionality, timely GDPR compliance',
'post_incident_analysis': {'corrective_actions': ['Shut down vulnerable '
'systems',
'Replace PuffPal with '
'audited app',
'Sever ties with 9Series',
'Report breach to DPC'],
'root_causes': ['Unsecured public URLs',
'Hardcoded Stripe API keys',
'Weak club passwords',
'Flawed development by third-party '
'(9Series)',
'Prioritization of functionality '
'over security']},
'recommendations': 'Replace vulnerable software with independently audited '
'solutions, enforce strong authentication, avoid hardcoded '
'credentials, comply with GDPR disclosure timelines',
'references': [{'source': 'Security researcher Sammy Azdoufal'}],
'regulatory_compliance': {'fines_imposed': 'Potential (missed 72-hour '
'disclosure deadline)',
'regulations_violated': ['GDPR'],
'regulatory_notifications': 'Reported to Ireland’s '
'Data Protection '
'Authority (DPC)'},
'response': {'communication_strategy': 'Reported breach to Ireland’s Data '
'Protection Authority (DPC), media '
'inquiries addressed',
'containment_measures': 'Shut down PuffPal app and vulnerable '
'APIs',
'remediation_measures': 'Replaced PuffPal with an independently '
'audited app, severed ties with 9Series',
'third_party_assistance': '9Series (outsourcing firm blamed for '
'flawed development)'},
'title': 'Massive Data Exposure: Over 985,000 Photo IDs Left Unprotected in '
'Cannabis Club Software Breach',
'type': 'Data Exposure',
'vulnerability_exploited': 'Lack of authentication, unsecured admin portals, '
'weak club passwords, hardcoded Stripe API keys'}