The state of Nevada’s government website has potentially exposed the personal data on over 11,700 applicants for dispensing medical marijuana in the state.
CBS News says each application, eight pages in length, includes the person’s full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant’s citizenship, their driving license number (where applicable), and social security number.
A Google search done by a man in Dallas led to the discovery of the problem. Justin Shafer said he discovered the breach Tuesday night while he was looking to see if any government websites had errantly posted social security numbers online. Shafer said he noticed one of the completed applications pop up in the search results with a social security number in plain view.
“I skimmed it looking for anyone’s actual social in the Google result because if you see that, that’s a good indication something’s public where that person wouldn’t want it to be public,” Shafer said.
“Information including names, addresses, phone numbers and driver’s license numbers are also listed on the exposed applications.
Many of the people affected are employed by members of the Nevada Dispensary Association.
“The information about the hack was just released this morning, and the dispensary members and dispensary owners were not aware of the details,” said Riana Durrett, executive director of Nevada Dispensary Association. “The NDA has offered to lend whatever support it can.”
Durrett says she’s been assured the state is focusing all of its efforts to fix the breach.
“Of course, they are all hands on deck to try to do whatever they can to make sure there are no further breaches,” Durrett said. “They will be notifying those affected by this.”
The state disabled the website Tuesday morning. The medical marijuana patient portal was also taken down as a precaution. It was taken down a few weeks ago due to unspecified security issues, but the website was deemed safe and is back online.
It’s not clear whether or not this latest breach is related to the previous one.