Stiiizy, a major California-based cannabis brand and retailer, disclosed in January 2025 that a breach via its unnamed third-party POS system provider in approximately October 2024 had exposed records for approximately 380,000 customers. Because cannabis retailers are required to verify customer age and identity, the POS system stored particularly sensitive data including customer names, dates of birth, addresses, driver’s licenses, government-issued ID documents, passports, and cannabis purchase cards/medical marijuana cards. The nature of the data — identity documents tied to regulated cannabis purchases — creates unique reputational and safety risks for affected customers.