Cyber Incident Victim: Cann Group Limited
Date:
Feb 2021
Location:
Australia
Summary
A cannabis company fell victim to a sophisticated cyber fraud scheme, resulting in an unauthorized $3.6 million payment to a fraudulent overseas contractor instead of the intended recipient. The unknown attacker exploited the firm during a construction project, prompting immediate security enhancements to its IT systems and collaboration with its bank to recover funds. The company engaged insurers to assess potential coverage for the loss and reported the incident to law enforcement agencies across multiple jurisdictions, including Victoria, the Netherlands, Hong Kong, and drug regulatory authorities. Following the disclosure, its shares declined approximately six percent, compounding existing financial pressures highlighted by significant quarterly operating cash outflows against minimal receipts, though it retained substantial cash reserves.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 8, 2021, Cann Group Limited (ASX:CAN), a Victoria-based medical cannabis company, disclosed a cyber attack involving fraudulent diversion of funds during construction of its Mildura production facility. The company reported transferring $3.6 million to what it believed was an overseas contractor involved in the 34,000 square meter facility's development. Subsequent investigation revealed the payment had been intercepted by an unidentified third party through what Cann Group described as a "complex and sophisticated cyber fraud" targeting both the company and its legitimate overseas contractor. The breach method and specific attack vectors were not disclosed in public statements. Cann Group immediately implemented enhanced security measures for its IT systems following detection of the fraud. The company entered a trading halt on the ASX prior to the announcement, with shares falling approximately 6% to 62 cents upon resumption of trading on February 8.
Cann Group engaged multiple entities to mitigate financial losses and investigate the incident, contacting its bank to determine potential fund recovery options and initiating insurance claim procedures with unspecified providers. The company filed reports with law enforcement agencies across three jurisdictions: Victoria Police, Dutch authorities, and Hong Kong police, alongside notifying Australia's Office of Drug Control. At the time of disclosure, the perpetrator remained unidentified and no claims of responsibility had surfaced. The incident occurred amid significant capital expenditures for Cann Group, which had secured a $50 million debt facility with National Australia Bank in November 2020. Financial disclosures showed operating cash outflows of $5.314 million against receipts of $99,000 in the December 2020 quarter, with $27.766 million cash reserves reported at quarter-end. The $3.6 million fraud represented a material financial impact relative to these figures, though insurance coverage status remained undetermined at the time of public reporting.