What Happened
In September 2025, Curaleaf, a major U.S. cannabis retailer, suffered a data breach claimed by the threat actor Miga, with the incident discovered on September 25, 2025, as listed among numerous breaches that month on BreachSense; however, no specific details on the type of data exposed or number of records affected are available in public reports. This event is distinct from a November 2025 federal class-action lawsuit alleging Curaleaf secretly allowed ad-tech firms like Google, Sweed, InRadio, and StackAdapt to track Florida medical marijuana patients’ browsing, purchases, and personal details (e.g., name, phone, email, address) via embedded website scripts starting as early as June 5, 2025, potentially exposing protected health information for “many thousands” without consent, in violation of privacy laws. No evidence confirms a traditional cyber intrusion like ransomware in 2025 beyond the BreachSense listing, and Curaleaf has not publicly detailed the incident.
