Cannabis club software provider Nefos Solutions faces regulatory scrutiny after nearly one million IDs exposed
Security researcher Sammy Azdoufal uncovered that Cannabis Club Systems left approximately 985,000 photo IDs, including passports and driver’s licences, unprotected on the public internet. Nefos Solutions has since shut down the vulnerable PuffPal system and notified the Irish Data Protection Authority, but faces potential penalties for failing to report the breach within the required 72-hour window.
Cannabis Club Systems, operating under the name Nefos Solutions, has been implicated in a significant data breach after security researcher Sammy Azdoufal discovered that nearly one million photo IDs were left exposed on the public internet. The vulnerability affected the PuffPal application and associated APIs used by cannabis clubs in Spain for member verification and sales. The exposed dataset included approximately 985,000 passport and driver’s licence images, alongside personal details such as phone numbers, home addresses, and cannabis consumption habits for club visitors.
The breach was identified using automated tools, with Azdoufal noting the assistance of Claude Code in the discovery process. The insecure URLs allowed unrestricted access to sensitive identity documents, including those of visitors from the United States and various celebrities. Nefos co-founder Andreas Nilsen stated that while the database contained data from 30,000 US visitors, there is currently no evidence that any outsider accessed the information other than Azdoufal.
Nefos’ response to the vulnerability was marked by delays and operational compromises. It took five days for the company to engage meaningfully with the researcher, and initial attempts to secure the data were inconsistent. On June 4, passport images were briefly re-exposed to maintain club operations after venue operators complained about the initial lockdown. By June 9, Azdoufal found that while passport images were tokenised, other profile data remained accessible via specific API calls, highlighting persistent security flaws in the system’s architecture.
The Irish company has since taken steps to mitigate the damage, shutting down the PuffPal system and the vulnerable APIs. Nefos has notified the Irish Data Protection Authority (DPC), which confirmed the breach in correspondence. Nilsen admitted that the company failed to report the incident within the 72-hour timeframe mandated by EU law and expects to face regulatory fines. The firm is also terminating its relationship with outsourcing partner 9Series, which developed the PuffPal app and created the vulnerable APIs.
Nefos is currently informing clubs that QR code entry via PuffPal is suspended, though ID verification through other methods such as RFID or phone numbers remains available. Nilsen pledged that any new application launched in the coming months will be independently verified to ensure security. The incident underscores the risks associated with cloud-based verification systems in the hospitality sector, particularly when security protocols are inadequate or poorly maintained.
