Español
Cannabis Club Systems (CCS) is aware of recent media reports regarding alleged security vulnerabilities and claims that user information has been publicly leaked.
We would like to reassure our clients, partners, and members that CCS takes the privacy and security of personal information extremely seriously.
Recently, CCS was notified by an independent security researcher of security vulnerabilities affecting components of the PuffPal platform. Upon receiving this information, our technical team immediately launched an investigation, implemented remediation measures, engaged additional technical specialists, and conducted a broader review of the affected systems.
As a precautionary measure, PuffPal and its associated backend services have been temporarily suspended while this review is completed. The reported vulnerabilities have been remediated and the previously identified endpoints are no longer accessible.
It is important to distinguish between the existence of a security vulnerability and a confirmed public data leak.
While vulnerabilities were identified and remediated, CCS has not identified any verified evidence that personal information was publicly leaked, published, or distributed. Investigations into the historical extent of any unauthorised access remain ongoing.
Reports currently circulating appear to conflate the existence of a security vulnerability with a confirmed data leak. These are not the same thing. The identification of a vulnerability does not in itself constitute evidence that personal information was extracted, published, or made publicly available.
In cybersecurity matters, there is a significant difference between:
- The existence of a vulnerability
- The potential ability to access information through that vulnerability
- Verified evidence that information was extracted, distributed, or publicly disclosed
These are separate issues and should not be treated as interchangeable.
CCS disputes a number of claims, assumptions, and conclusions that have appeared in recent media reporting and believes certain reports conflate the existence of vulnerabilities with a confirmed public data leak.
CCS has served regulated Cannabis organisations across multiple jurisdictions for over 12 years and operates within a highly sensitive compliance environment. Protecting confidential information remains one of our highest priorities, and we continue to invest in strengthening our security infrastructure and governance processes.
We are currently conducting a full review of the reported findings, implementing additional safeguards where necessary, assessing any regulatory obligations, and cooperating with relevant authorities and stakeholders as appropriate.
We have also notified the Irish Data Protection Commission and continue to cooperate with the relevant authorities as part of our ongoing investigation and compliance review.
We also encourage responsible reporting on cybersecurity matters. Accuracy is critical when dealing with personal information and privacy-related issues. Public reporting should clearly distinguish between verified facts, technical findings, allegations, assumptions, and matters that remain under investigation.
We understand the concern that reports of this nature may cause and are committed to communicating openly and transparently as additional verified information becomes available.
We thank our clients, partners, and members for their continued trust and support.
Andreas Nilsen
Chief Technology Officer
Cannabis Club Systems