A major cybersecurity incident has raised concerns among South Africans after reports emerged that the personal information of more than 88,000 people linked to cannabis-related activities was allegedly leaked online. The exposed information reportedly includes sensitive identity documents, including South African ID numbers and passport details.
The breach has sparked renewed debate around data privacy, especially within the cannabis community, where many individuals already operate in a sensitive legal and social environment.
According to reports, the leaked database was connected to people who had interacted with cannabis-related platforms or services, especially for cannabis dispensaries. The exposure of identity documents creates potential risks such as identity theft, fraud, impersonation, and targeted scams.
Personal information such as ID numbers and passport details is highly valuable to criminals because it can be used to create fake accounts, attempt financial fraud, or trick victims through social engineering attacks. This is why data leaks are so important to prevent.
The incident highlights the importance of protecting personal data when using online platforms, especially in industries like cannabis where consumers, patients, growers, and businesses may be concerned about privacy.
South Africa’s cannabis sector has expanded significantly in recent years, with more people becoming involved in cultivation, medical cannabis, education, and related services. As the industry grows, so does the need for responsible handling of customer information and stronger cybersecurity practices.
Experts recommend that anyone potentially affected should remain cautious, monitor financial accounts, avoid suspicious messages or emails, and be careful about sharing personal information online.
The incident also raises broader questions about how companies store sensitive user data and whether enough safeguards are in place to protect consumers.
For the cannabis community, privacy remains a major concern. Many users have historically been cautious about attaching their personal identities to cannabis-related activities, and a breach of this nature could further impact trust in online services.
“I discovered the vulnerability in April 2026 and notified the company. They ignored four emails over 26 days,” Azdoufal told MyBroadband.
He said that the company had yet to notify affected South Africans or the Information Regulator of South Africa, as required by Section 22 of the Protection of Personal Information Act (POPIA).
POPIA stipulates that the responsible party or custodian of data must notify the regulator and any data subjects that may have been affected by a compromise. Source
However, Cannabis Club Systems does not process personal information in South Africa and thus falls outside of the jurisdiction of the Information Regulator and POPIA.
The company is based in Dublin, Ireland, according to its privacy policy page, and would then be beholden to the General Data Protection Regulation (GDPR) of the European Union (EU).
Under GDPR, software providers that process personal data of European citizens, regardless of where they are located, have 72 hours to report any data breaches.
The maximum statutory fine for this specific violation could be up to €10 million (R191 million) or up to 2% of a company’s total annual revenue for the financial year.
As South Africa continues developing its cannabis industry, data security will need to become a priority alongside regulation, compliance, and consumer protection.