1. What happened?

A bad actor was able to gain access to certain files and other records containing personal information about customers of Stiiizy and its affiliate, Authentic 209, (together “Stiiizy”) at four specific retail locations: (1) Stiiizy Union Square; (2) Stiiizy Mission Street; (3) Stiiizy Alameda; and (4) Authentic 209. The bad actor(s) was able to download these records through Stiiizy’s account with its point-of-sale ID verification vendor. Upon receiving notice of the incident, Stiiizy launched its own investigation to assess the extent of the impact. Stiiizy has determined that certain customers’ personal information and documents were acquired by the bad actors.

Unfortunately, we have confirmed that the threat actors were able to acquire the personal data of some of our customers. We have engaged experts to monitor the dark web for evidence of these records.

2. When did Stiiizy learn of the incident?

Stiiizy’s point of sale ID verification vendor first notified Stiiizy of this incident on November 20, 2024. After being notified of the incident, Stiiizy investigated the incident to determine the impacted records and the nature of the breach.

3. Why am I being notified about this incident now?

Stiiizy is committed to notifying its customers about impacts to their personal information. Since learning of the incident, we have investigated and confirmed the scope of the incident and affected individuals. We have been working with our team of legal counsel, consultants, and vendors to collect and confirm the information necessary to notify affected consumers.

4. Has Stiiizy notified potentially affected individuals?

Stiiizy has been working to notify the individuals whose information was impacted in a timely manner. Notice of the incident has been posted on the Stiiizy website. If you have been a customer of one of the impacted locations, it is possible that your personal information was viewed or acquired by the bad actors. Please see the response to Question 5, below, for more information about the specific locations. Additionally, if you were notified directly by Stiiizy about the incident, your personal information was impacted.

5. How many people were affected by this incident?

Based on our investigation, the incident only impacted consumer profiles associated with the following four locations:

• STIIIZY Union Square: 180 O’Farrell Street, San Francisco, CA
• STIIIZY Mission: 3326 Mission Street, San Francisco, CA
• STIIIZY Alameda: 1528 Webster St., Alameda, CA
• Authentic 209: 426 McHenry Ave, Modesto, CA

If you have been a customer at one of these four locations, it is likely that your personal information was included in the breached data.

6. What kind of personal information was involved?

The personal information acquired by the bad actors includes personal information on government-issued identification cards, such as drivers’ licenses and medical cannabis cards, as well as information related to transactions with our dispensaries. The categories of information compromised include name, address, date of birth, age, drivers’ license number, passport number, photograph, the signatures appearing on a government ID card, medical cannabis cards, transaction histories, and other personal information. Not all of this information was involved for each impacted individual.

7. Has the incident been contained?

Stiiizy has taken efforts to secure the impacted accounts and is not aware of any ongoing threat.  

8. Was there any operational disruption as a result of this incident?

No, this incident has not affected Stiiizy’s business operations.

9. What actions did Stiiizy take in response to this incident?

Promptly after learning of the incident, Stiiizy took steps to understand its nature and scope and to secure its systems.  Stiiizy engaged legal counsel and cybersecurity consultants to assist with its investigation and incident response efforts. Stiiizy also notified law enforcement of the incident.  Additionally, Stiiizy is offering free credit monitoring services for affected individuals.

10. Has Stiiizy contacted law enforcement about this incident?

Yes, Stiiizy has notified law enforcement, including the FBI, about this incident.

11. Does Stiiizy have any indication that anyone has suffered identity theft as a result of this incident?

No, Stiiizy is currently not aware whether information has been misused. However, it is recommended that you review the identity theft materials posted for consumers on your state attorney general’s website and on the Federal Trade Commission’s (FTC) website at http://www.ftc.gov/idtheft.  These websites provide detailed information about protecting yourself from identity theft and about steps to take if it occurs.

12. What is Stiiizy doing to prevent this from happening again?

While no security system is perfect, Stiiizy is taking measures to protect against this type of attack in the future. Stiiizy plans to undergo cybersecurity assessments to prevent this type of incident in the future.

13. What steps should I immediately take?

Stiiizy recommends that you be vigilant in reviewing your account statements and credit reports, and that you immediately report any unauthorized activity to your financial institutions. Stiiizy also recommends that you monitor your personal information and visit the Federal Trade Commission’s website, www.ftc.gov/idtheft, to obtain information about steps you can take to better protect against identity theft as well as information about fraud alerts and security freezes.

14. What is credit monitoring?

Credit monitoring services protect primarily against new account fraud. This form of fraud occurs when a criminal uses your personal information to open credit card, mobile phone, or other financial accounts using your name, Social Security number and other personal information. New account fraud can be difficult to detect because the criminal generally has billing statements sent to an address other than your real address. Beginning on the date of enrollment, credit monitoring provides an alert whenever changes occur to your credit files. This notification will be sent to you the same day that the change or update takes place with any of the three credit bureaus. You can learn more about credit monitoring at https://www.privacyrights.org/identity-theft-monitoring-services.

15. Does Stiiizy provide credit monitoring services?

In response to the incident, we are providing impacted individuals with access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge. These services provide enrollees with alerts for 12 months from the date of enrollment when changes occur to their credit file.  This notification is sent to enrollees the same day that the change or update takes place with the bureau. Finally, we are providing enrollees with proactive fraud assistance to help with any questions that they might have or in event that you become a victim of fraud.  These services will be provided by Cyberscout, a TransUnion company specializing in fraud assistance and remediation services.  

16. How do I enroll for the free services?

Individuals who believe they may have been impacted can enroll in credit monitoring services at no charge. To enroll, please log on to https://bfs.cyberscout.com/activate and follow the instructions provided. When prompted please provide the following code to receive services: STINCGOLDPLUS. In order for you to receive the monitoring services described above, you must enroll within 90 days from the date of this notice.  The enrollment requires an internet connection and e-mail account and may not be available to minors under the age of 18 years of age.  Please note that when signing up for monitoring services, you may be asked to verify personal information for your own protection to confirm your identity.

17. What is a security freeze?

A security freeze – which is also sometimes called a credit freeze – prohibits a credit bureau from releasing your credit report without your consent. However, placing a security freeze may delay, interfere with or prohibit the timely approval of any application you then make regarding a new loan, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular telephone, utilities, digital signature, Internet credit card transaction or other services, including an extension of credit at a point of sale. Because of this, you may need to remove or temporarily lift the security freeze. Also, if you have a security freeze in place and decide to apply for credit monitoring, you might need to temporarily lift the security freeze and then re-activate it after you are enrolled in credit monitoring. Here are some general things you should know about placing a security freeze:

• If you choose to place a security freeze, you will need to place one with each individual credit bureau, because the instructions and processes differ from one credit bureau to another.
• When you place a security freeze, your credit file cannot be shared with potential creditors, insurance companies or other third parties.
• A security freeze is not completely fail-safe because creditors can issue credit without pulling a credit report. A security freeze will not prevent current creditors and businesses with which you have prior relationships (such as credit card companies, insurance providers and financial institutions) from reporting to or accessing your credit file information. It does, however, prevent new potential creditors and new third parties from gaining access to your credit files.
• Each credit reporting agency has five business days from receipt of your request to place a security freeze.
• Each credit reporting agency has three business days from receipt of your request to lift a security freeze.
• Depending on where you reside, credit bureaus may sometimes charge a fee for placing, removing or temporarily lifting a security freeze. But many states require that consumers be allowed to place and remove a security freeze free of charge.

18. Is a credit freeze different from a security freeze?

No, they are the same thing. The question above describes what a security freeze – also sometimes called a credit freeze – does.

19. Should I notify the Social Security Administration to change my social security number?

The Social Security Administration is unlikely to change your Social Security number in the absence of any evidence that your Social Security number is actually being misused. In addition, according to information on the Social Security Administration’s website, https://www.ssa.gov/pubs/EN-05-10064.pdf, changing your Social Security number may create additional problems because you would lose your existing credit history and because other government agencies (including the Internal Revenue Service and the Department of Motor Vehicles) and private businesses (such as banks and credit reporting companies) are likely to have records under your current Social Security number

20. What should I do if I believe my personal information has been used fraudulently?

You should immediately: (1) report the crime to your local law enforcement agency, including attorney general and the Federal Trade Commission, (2) contact any creditors involved, and (3) notify all three credit bureaus. You may also choose to put a credit freeze on your file; please note that there may be a cost associated with this. Additional guidance is available on the Federal Trade Commission’s website at http://www.ftc.gov/bcp/edu/microsites/idtheft.

21. What is the legal recourse for an individual whose data is compromised?

Unfortunately, we cannot provide you legal guidance on this matter.