
American medical cannabis company Stiiizy has been hit by a cyberattack that exposed the personal information of more than 420,000 customers, including passports, driver’s licenses, signatures and transaction histories.
The cyber attack occurred as a result of an outage at a service provider that provided services to several Stiiizy retail stores in California. Stores in San Francisco, Alameda and Modesto were affected. The stolen data included names, addresses, dates of birth, driver’s license and passport numbers, customer photos and even signatures on government documents. This data leak can lead to fraud, identity theft, or even extortion. The Everest group, known for its ties to Russian hacking groups and past attacks on AT&T and the Brazilian government, claimed responsibility for the attack; According to Halcyon AI, after Stiiizy refused to pay the ransom, the hackers posted the stolen data online (the company said).
Everest is a well-known hacker group operating on the Ransomware-as-a-Service model. They are involved in cyber attacks on various large organizations around the world. In particular, in 2022 they hacked Brazilian government servers and stole 3 terabytes of data; in 2024, the Ransomlooker tool confirmed that the group carried out 18 attacks in November and 12 in December.
The cyberattack on Stiiizy highlights the data security risks for companies that handle sensitive customer information. Such incidents not only cause financial losses, but also damage the company’s reputation. Experts recommend that companies regularly check their security systems and prepare for such incidents.