985,841 passport scans (including mine), and the private messages of every member it ever served on a server with no authentication //

1,020,457 members 94% of the total are classified by the software as medicinal cannabis users. Whether they used the PuffPal app or not. Whether they had ever heard of PuffPal or not.

Under GDPR Article 9, health data is the most protected category of personal information. It cannot be processed without explicit consent and adequate safeguards. A breach of health data triggers the highest tier of regulatory penalties up to €20 million or 4% of global annual turnover. The standard notification obligations under Article 33 apply within 72 hours of discovery.

The irony is architectural. The clubs collect all this information, apply a medical classification to every member, store that classification alongside passport scans and home addresses and then left all of it accessible via an unauthenticated HTTP endpoint that accepted any integer from 1 to however many members the club had.

The physical bouncer at the door checks your member card. The digital one wasn't there.