{"id":652899,"date":"2026-06-09T17:00:13","date_gmt":"2026-06-09T15:00:13","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=652899"},"modified":"2026-06-11T14:56:07","modified_gmt":"2026-06-11T12:56:07","slug":"over-88000-ids-and-passports-of-south-africans-who-use-cannabis-have-been-leaked-online","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/652899-over-88000-ids-and-passports-of-south-africans-who-use-cannabis-have-been-leaked-online.html","title":{"rendered":"Researcher reports potential exposure of IDs and passports linked to South African Cannabis Club Systems members"},"content":{"rendered":"\n

A security researcher has claimed that personal records belonging to some members of a platform called Cannabis Club Systems may have been accessible through a reported vulnerability.<\/p>\n\n\n\n

This reportedly included photographs of South African identity cards and passports, which were allegedly exposed to the Internet at publicly-accessible URLs.<\/p>\n\n\n\n

Researcher Sammy Azdoufal said his findings indicated that records relating to members of Cannabis Club Systems from over 40 countries worldwide may have been accessible.<\/p>\n\n\n\n

Cannabis Club Systems provides the digital backend for numerous cannabis dispensaries and clubs across Europe, from Spain to the Netherlands, that sell to customers worldwide.<\/p>\n\n\n\n

Azdoufal said the majority of the members whose private documents may have been accessible were from Spain, while South Africa was the second-most affected region.<\/p>\n\n\n\n

According to the researcher, the data that may have been accessible included full names, email addresses and phone numbers of South Africans who signed up for the cannabis dispensary platform.<\/p>\n\n\n\n

Azdoufal said identity documents were also included, with full ID numbers visible, along with passports, and fields relating to cannabis consumption estimates and strain preferences.<\/p>\n\n\n\n

“I discovered the vulnerability in April 2026 and notified the company. They ignored four emails over 26 days,” Azdoufal told MyBroadband.<\/p>\n\n\n\n

He said that the company had yet to notify affected South Africans or the Information Regulator of South Africa, as required by Section 22 of the Protection of Personal Information Act (POPIA).<\/p>\n\n\n\n

POPIA stipulates that the responsible party or custodian of data must notify the regulator and any data subjects that may have been affected by a compromise.<\/p>\n\n\n\n

However, Cannabis Club Systems does not process personal information in South Africa and thus falls outside of the jurisdiction of the Information Regulator and POPIA.<\/p>\n\n\n\n

The company is based in Dublin, Ireland, according to its privacy policy page<\/a>, and would then be beholden to the General Data Protection Regulation (GDPR) of the European Union (EU).<\/p>\n\n\n\n

Under GDPR, software providers that process personal data of European citizens, regardless of where they are located, have 72 hours to report any data breaches.<\/p>\n\n\n\n

The maximum statutory fine for this specific violation could be up to \u20ac10 million (R191 million) or up to 2% of a company’s total annual revenue for the financial year.<\/p>\n\n\n\n

“We take security and the protection of personal data very seriously,” Andreas Nilsen, Cannabis Club chief technology officer, told MyBroadband.<\/p>\n\n\n\n

“With regard to the timing of our response, the initial communications received did not contain any technical details to allow us to validate or investigate the claims.”<\/p>\n\n\n\n

Technical details about the reported vulnerability<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Nilsen explained that, after receiving the technical report from Azdoufal, the Cannabis Club technical team immediately initiated an internal investigation.<\/p>\n\n\n\n

“As part of that process, we have been validating the reported findings, assessing their scope and impact, preserving relevant evidence, and implementing remediation measures,” they said.<\/p>\n\n\n\n

“Several of the reported issues have already been addressed, including access-control and media-access protections.”<\/p>\n\n\n\n

Nilsen said the company’s investigation was ongoing and that it could not comment further on the final scope or impact of the reported issues.<\/p>\n\n\n\n

“We are currently assessing our regulatory and notification obligations across the jurisdictions in which we operate and are cooperating with the relevant authorities where appropriate.”<\/p>\n\n\n\n

According to the detailed report from Azdoufal, he found a vulnerability in CCS Nube, the SaaS backend platform used by Cannabis Club Systems.<\/p>\n\n\n\n

Azdoufal’s report indicates that CCS Nube hosts the database, the API, the identity verification workflow, the messaging layer and other digital infrastructure.<\/p>\n\n\n\n

One aspect of CCS Nube is PuffPal, a white-label Android app that some clubs connected to Cannabis Club Systems to offer their members smartphone-based ordering and messaging.<\/p>\n\n\n\n

This app is optional; however, it is linked to the same database that the entire infrastructure backend uses.<\/p>\n\n\n\n

“The app was my entry point into the research. It was not the source of the vulnerability. The vulnerability was the backend,” Azdoufal said.<\/p>\n\n\n\n

Azdoufal said the records related to members of clubs that used CCS Nube, not only users of the PuffPal app.<\/p>\n\n\n\n

The researcher said that the database indexes user information with sequential integers, which could be exploited through a simple script to pull information from the API.<\/p>\n\n\n\n

“There was no authentication token, no session cookie, no API key. I sent the request with my own user ID, then with a neighbouring integer,” he said.<\/p>\n","protected":false},"excerpt":{"rendered":"

The personal records of over 88,000 South Africans, including scanned IDs, were exposed to the Internet, a security researcher has found.<\/p>\n","protected":false},"author":341213,"featured_media":648638,"comment_status":"open","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[105785,14673,59643,105782,105783,15227,51055,62830,105786,105784],"class_list":["post-652899","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-andreas-nilsen","tag-api","tag-cannabis","tag-cannabis-club-systems","tag-ccs-nube","tag-cybersecurity","tag-gdpr","tag-popia","tag-puffpal","tag-sammy-azdoufal"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/652899"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=652899"}],"version-history":[{"count":5,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/652899\/revisions"}],"predecessor-version":[{"id":653555,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/652899\/revisions\/653555"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/648638"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=652899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=652899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=652899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}