Medical pot company plugs web security flaw but privacy concerns persist

• Share on Facebook
• Share on Bluesky
• Share on X
• Copy Link

Medical marijuana websites typically request personal information that goes well beyond name, address, age and a copy of photo ID. Some require physical information such as height and weight, along with answers to questions such as whether the applicant has suffered from schizophrenia and what medications they take. 

Week In Review

Week in Review: Week of April 20, 2026

12h ago

Two & Out

PETERS: The good, the bad and the ugly of the Pathways meeting

Apr 24, 2026

Looped In

LOOPED IN WITH NIKKI OMEN: April 23, 2026

Apr 23, 2026

The patched Namaste program, which now returns a “obfuscated” generic message in terms of user names and locks out a user after three failed log-ins, was implemented weeks after a user alerted the company to the problem and The Canadian Press began asking questions about the issue.

Kurtis Cicalo, an Ottawa-based website developer and consultant, said a sophisticated hacker could have accessed a Namaste user’s account in seconds.

While there is no evidence intruders did in fact obtain or misuse users’ medical data, Cicalo said the security flaw was not unique to Namaste, which among other things bills itself as operator of the largest global cannabis e-commerce platform.

“My worry is that these sites have been active for months and although I’d like to believe I’m the first person to notice such obvious security flaws, I have to think I’m not, Cicalo said. “This one was super easy to find. Anyone could have found it. It’s so basic, it should never have happened.”

Cicalo also said he was able to access the site even using a computer address that appeared to originate from abroad.

“If somebody is accessing medical cannabis records from China, it should be a red flag,” said Cicalo, who wondered whether companies cut security corners in their rush to jump on the money-making cannabis bandwagon. “There’s a very basic lack of security on pretty much every company site.”

Cicalo said the officer of the federal privacy commissioner suggested he contact the companies involved and only file a personal complaint as a last resort.

Eugene Ocapalla, a lawyer who teaches drug policy at the University of Ottawa, said users, sellers and those in between have to be more aware of privacy concerns related to pot. Buying marijuana for medical purposes, he said, carries a potential double whammy.

“If somebody’s information gets taken from a website, you’re learning something about the person’s health condition which for one thing is generally considered very sensitive information,” Ocapalla said. “On top of that, you’re talking about a drug that is still much maligned in many circles, including by some foreign jurisdictions, most notably the United States.”

Part of the problem facing web developers is the need to balance ease of use against security concerns. As a rule, the more secure a site, the harder it is for the ordinary user to navigate.

“On password complexity, we had a lot of customers pushing back,” Agate said. “We try to find the best balance.”

Cicalo said he understood the user-friendly vs. security debate, but said he was pleased Namaste, which says it has more than 30 websites in more than 20 countries under various brands, had finally fixed a “major vulnerability.”

Colin Perkel, The Canadian Press