Skip to content

OCS Data Theft: The Whole Story

By: Jennawae McLean, Executive Director, NORML Canada

My day job is highly regulated. My partner and I own Calyx + Trichomes, an independent cannabis retailer in beautiful and friendly Kingston, Ontario (right between Toronto and Ottawa and about 40 minutes from New York state). As a retailer, the Alcohol and Gaming Commission (AGCO) handles my licensing and I purchase cannabis from the Ontario Cannabis Store (OCS). Every month I have to submit my sales reports to the AGCO (and I must give permission for them to share with the OCS or submit the report to the OCS myself). These reports contain private store raw cannabis data (like sales reports, broken down product by product, region by region, with sell through rates and velocity). While these reports contain no details about accessories, you can basically see the movement of 85% of a store’s inventory. You can see how much inventory is transferred between stores and how much is on hand at any given time. The only databases where all this data exists are at the AGCO and (because we’re required to share data) the OCS.

I diligently submit my reports before the fifth of every month. They get uploaded to the AGCO website and if I screwed something up I get an email to correct the error, otherwise I carry on with my life until the next month.

In early March 2022, a day or two after submitting the reports I had heard rumours about a large national chain having access to these reports, but I thought “Impossible! I only share with the AGCO and OCS, this is a conspiracy theory!” And almost completely dismissed it. There was no proof, it was all hearsay. In the spirit of transparency I still let both the AGCO and OCS know there were rumblings of a data leak. My contact at the AGCO took it very seriously and initiated an investigation immediately to ensure there was no way a leak could have come from their side. My contact at the OCS was as skeptical as I was, but still bubbled it up.

Within a couple weeks, both the OCS and AGCO followed up saying their investigation was fruitless, they absolutely could not find any source of a leak. I went back to the person I was hearing rumours from and let them know an investigation happened and nothing was found. Without proof there was really nothing the AGCO or OCS could do.

Then, 3 weeks later on April 19, the proof came. A retailer who I am friends with in another region sent 2 pictures of an Excel file with what appeared to be raw csv file export data that had been manipulated to show rankings for the province. One picture showed the top 20 stores (which Calyx + Trichomes is in, so I was able to verify the data was correct) and the bottom 20. I then angrily forwarded both to the AGCO and OCS saying “we need to talk.”

Within a few minutes I was stomping around my living room (I had just tested positive for Covid) freaking out on the phone about my private data being out there for the whole world to see. As an independent retailer, no one is entitled to access our data. We don’t have shareholders, we don’t answer to a boardroom. Our data (what we order, how often, how large our stash room is, how big our orders are) is private information. These are not only trade secrets but also make us an even larger target for robbery. Beyond that, releasing the rankings of stores shows which locations are high traffic (making them targets for either acquisition or competition—we had someone open almost next door).

On April 20, I was sent the full Excel file. It was titled “December Ontario Retail Performance.” There was the raw data I could see and manipulate and then as I scrolled over I could see there was an extra line (that I hadn’t previously been able to see in the screenshots) that didn’t appear to be raw—it was added post export. It showed which stores were independent and which stores were corporate chains. It even showed who the original author was (sorry, not revealing that publicly).

A screenshot of the file data.

We have been lucky enough to achieve success in one of the most regulated and competitive markets in the world. We are very much in a David v. Goliath scenario competing with national chains who have a seemingly endless supply of money and resources. These large retailers strategically run at a temporary loss until independents like us are forced to close because we can’t afford those losses month after month (and after competition is eliminated the prices will get jacked back up).

Anyways, I forwarded the Excel file to the AGCO, the OCS and one of my lawyers. The OCS thanked me for sending it and referred to the data as having been misappropriated. The AGCO said they would be working with the OPP to investigate the OCS and anyone who was responsible for sending and receiving the file. They specifically said if a license holder is involved in this “misappropriation” (theft) their licensing would be in jeopardy. I was also told the OPP will want to speak with me. My lawyer told me that this is definitely a breach of the agreement I have with the OCS, and that they would be contacting their counsel.

I started tweeting confirming the existence of these reports from my work accounts. A journalist reached out to me to see if I had seen a specific set of data. They sent me another screenshot. I was able to match up my numbers and confirm that January was also out there. I forwarded this again to all the appropriate people. The original retailer who forwarded me the December screenshots also alluded to July 2021 data being public (although I have yet to see that, I believe it considering I saw December and January with my own eyes). It’s confirmed at least several months had been “misappropriated” and I don’t think it’s a stretch to assume the rest are also floating around.

I was contacted by the AGCO, and they confirmed that the OPP was going to be contacting me for an interview to understand whether there was anything criminal happening at the OCS. Was the data being sold? How high up did this go? Not long after that I had two friendly officers sitting in my office asking about my version of events. I showed them everything I could, how to interpret the data and my own monthly reports to confirm it was all correct. I caught a little heat from some ACAB canna-activists within our community who felt I shouldn’t ever work with police. My opinion is that it isn’t my job to protect thieves and the reason we legalized cannabis was so that police resources would be redirected to actual crime (which theft is). I’ve been raided and arrested and sat in a jail as well, I understand that dealing with police can be traumatic for some. I prefer to work with the system to change it.

The OPP asked me what my ideal outcome is and it’s fairly simple: The people who did this need to be held accountable. The person/people at the OCS who are responsible directly or indirectly should no longer hold those positions of trust. If it is found that a licensed entity/entities are responsible for the data theft, they should lose their licensing. If that same entity bribed a government official they should be also held criminally responsible. If there is corruption all the way up the chain and the OCS cannot be trusted with this data, they should not be receiving it.

We have very few competitive edges in this industry. The only thing we have is our heart and experience. Our experience is one of the things that makes us special and guides how we buy, what we buy, why we buy and when we buy. With the data exported in the reports you can easily decode our ordering and stock strategies, and how liquid we are/what we can afford (all orders from the OCS are paid upfront, there are no terms or credit accounts). From these reports you can determine what kind of profit we are making and what our pricing strategy is. With this data being public, our hand is fully open, we are fully exposed with a huge target on our backs. The other (and more common) issue is that for retailers who aren’t doing as well, this report being public is totally embarrassing. Any store on Queen St. in Toronto would be especially embarrassed with that carnage and their numbers on display.

Where is the case now? With the OPP. They are completing an investigation and if/when charges are made they will be made public. There have been murmurs of a class action lawsuit being put together by a group of retailers in Ontario. My personal opinion is that is premature considering the OPP is still investigating and the AGCO and OCS have yet to comment further. I have heard one person was relieved of their position (the person who’s computer exported the data) but nothing further. If you are an affected retailer (which you are if you had a store open in December 2021 or January 2022) we would recommend reviewing your legal options and getting advice from your own lawyer.

Leave a Reply

Your email address will not be published.