Nevada’s state government website has leaked the personal data on over 11,700 applicants for dispensing medical marijuana in the state.
Each application includes the person’s full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant’s citizenship, their driving license number (where applicable), and social security number.
But it’s not immediately clear how many years the applications date back.
Security researcher Justin Shafer found the bug in the state’s website portal, allowing anyone with the right web address to access and enumerate the thousands of applications.
Though the medical marijuana portal can be found with a crafted Google search query, we’re not publishing the web address out of caution until the bug is fixed.
Each application, eight pages in length, are still accessible via the web address as of Wednesday morning.
Nevada was one of the first states to legalize medical uses of marijuana during the 2000 election, but uses were limited to patients with cancer, HIV and AIDS, as well as chronic conditions, such as glaucoma and severe pain, and had a valid doctor’s note.
The state most recently voted to legalize recreational use of the drug.
We left a number of voicemails of applicants prior to publication but did not hear back at the time of writing.
A spokesperson for the Nevada Dept. Health and Human Services, which runs the medical marijuana application program, did not return an email on Wednesday.
ZDNET INVESTIGATIONS
Inside the global terror watchlist that secretly shadows millions
At the US border, expect discrimination, detention, searches, and interrogation
An unsecured database leaves off-the-grid energy customers exposed
Meet the shadowy tech brokers that deliver your data to the NSA
US government pushed tech firms to hand over source code
More “mega breaches” to come, as rival hackers vie for sales
Revealed: How one Amazon Kindle scam made millions of dollars
These college students were behind BBC, Trump cyberattacks