C A.I CyberSecurity Scoring
C
Company Information
Website:http://cannabisclub.systems/
Employees number:2
Number of followers:0
NAICS:5415
Industry Type:IT Services and IT Consulting
Homepage:cannabisclub.systems
C Risk Score (AI oriented)
Between 700 and 749
CIT Services and IT Consulting
Updated:
10/06/2026
10/06/2026
720/1000
Moderate
Ba
C Global Score (TPRM)
xxxx
CIT Services and IT Consulting
Score locked

CModerate
Current Score
720Ba (MODERATE)
01000
1 incidents
-68 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
721
JUNE 2026
720
MAY 2026
786
Breach
01 May 2026 • C
Cannabis Club Systems: Nearly a million passports and photo IDs were left unprotected on the public internet
Massive Data Exposure: Over 985,000 Photo IDs Left Unprotected in Cannabis Club Software Breach
718
CRITICAL-68
CCS1781130576
Massive Data Exposure: Over 985,000 Photo IDs Left Unprotected in Cannabis Club Software Breach
Security researcher Sammy Azdoufal uncovered a severe data exposure involving over 985,000 photo IDs, including passports, driver’s licenses, and personal details, left publicly accessible on the internet due to critical security flaws in software used by cannabis clubs in Spain. The breach, discovered in May, stemmed from Cannabis Club Systems (CCS), an Irish company formerly known as Nefos Solutions, which provides verification and management software for cannabis clubs.
Azdoufal, who previously exposed vulnerabilities in DJI robot vacuums and baby monitors, found that CCS’s systems stored sensitive documents at unprotected public URLs, requiring no authentication to access. The exposed data included names, phone numbers, home addresses, cannabis consumption habits, and even selfies affecting visitors from over 30 countries, including 30,000 U.S. citizens and reportedly some celebrities.
The issue originated from CCS’s PuffPal app, which clubs used for member verification via QR codes. Azdoufal’s investigation revealed hardcoded Stripe API keys, unsecured admin portals, and weak club passwords that could be cracked with minimal effort. Even after initial fixes, CCS temporarily re-exposed data to accommodate club complaints, prioritizing functionality over security.
Following pressure from Azdoufal and media inquiries, CCS shut down PuffPal and vulnerable APIs on June 10, securing the exposed IDs. The company has since reported the breach to Ireland’s Data Protection Authority (DPC), though it missed the 72-hour GDPR disclosure deadline, risking fines. CCS co-founder Andreas Nilsen acknowledged the lapse, blaming an outsourcing firm, 9Series, for the flawed development but taking responsibility for the oversight.
While Nilsen claims no evidence of malicious access beyond Azdoufal’s findings, the incident highlights widespread risks in third-party software security, echoing a similar breach last month where a UK visa portal exposed 100,000 passports via unsecured URLs. CCS plans to replace PuffPal with a independently audited app and has severed ties with 9Series.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
APRIL 2026
786
MARCH 2026
786
FEBRUARY 2026
786
JANUARY 2026
786
DECEMBER 2025
786
NOVEMBER 2025
786
OCTOBER 2025
786
SEPTEMBER 2025
786
AUGUST 2025
786
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for C ??
What was C's A.I Rankiteo Cyber Score in June 2026 ??
What was C's A.I Rankiteo Cyber Score in May 2026 ??
What was C's A.I Rankiteo Cyber Score in April 2026 ??
What was C's A.I Rankiteo Cyber Score in March 2026 ??
What was C's A.I Rankiteo Cyber Score in February 2026 ??
What was C's A.I Rankiteo Cyber Score in January 2026 ??
What was C's A.I Rankiteo Cyber Score in December 2025 ??
What was C's A.I Rankiteo Cyber Score in November 2025 ??
What was C's A.I Rankiteo Cyber Score in October 2025 ??
What was C's A.I Rankiteo Cyber Score in September 2025 ??
What was C's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on C's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with C ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view C's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?