FTC seeks to penalize Drizly and its CEO over a breach that exposed 2.5 million users’ data

The Federal Trade Commission wants to limit the amount of personal information Drizly can collect as part of the enforcement actions it's proposing against the marketplace and its CEO. According to the FTC, the alcohol delivery service that Uber had purchased in 2021 and its chief executive, James Cory Rellas, were alerted to security issues way back in 2018. The commission has found that they had failed to adequately protect their users' information, which enabled a data breach in 2020 that exposed the data of 2.5 million users.

Based on the FTC's original complaint, a Drizly employee posted the company's logins for its Amazon Web Services (AWS) cloud account on GitHub in 2018. Drizly stores users' details, such as their emails, postal addresses, phone numbers, and even their unique device identifies, geolocation info and any other data purchased from third parties that can be linked back to them on AWS. Hackers were able to use those logins to infiltrate Drizly's servers and use them to mine cryptocurrency. 

While Drizly took back control by changing its login information, the FTC says it failed to implement “reasonable safeguards” to protect its users and to address its security issues despite publicly claiming that it had done so. In 2020, a hacker was able to get into an employee's account and access the company's GitHub. They then hacked into Drizly's database and stole the personal information of 2.5 million customers, which had since been offered for sale on at least two different websites on the dark web.

The FTC says those events were made possible by Drizly's poor security practices, such as not requiring employees to use two-factor for GitHub, where it stored login information. Drizly also didn't limit workers' access to users' personal data, the FTC adds, and had no senior executive overseeing its security practices. 

Under the FTC's proposed orders, Drizly will have to destroy any personal data it previously collected that's not necessary to be able to provide its services. It will also have to refrain from collecting unnecessary data in the future and will have to publicly divulge the information it requires from users on its website. In addition, it will have to implement a comprehensive security program and appoint an executive to oversee its operations. 

The commission has also issued orders that personally apply to Rellas due to the role he played in presiding over Drizly's lax security practices. If Rellas decides to leave the alcohol deliver service, he will still be required to implement an information security program at future companies where he takes on the role of a CEO, majority owner or senior executive involved in security. As The Washington Post notes, the FTC rarely singled out executives in similar security breach cases in the past, and this indicates a new approach at handling companies with inadequate security measures.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a statement:

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness. CEOs who take shortcuts on security should take note.”

The FTC will publish these proposed orders soon, and they will be open for public comment for 30 days before the commission decides if will make them official.