- The Federal Trade Commission issued a proposed order against Drizly, an online liquor marketplace owned by Uber, over security practices that exposed the data of about 2.5 million consumers.
- The original FTC complaint said Drizly officials were aware of data security problems at the Boston-based company for two years before a 2020 data breach, but failed to take steps to secure customer data from hackers.
- The FTC will require Drizly to destroy unnecessary data and restrict future data collection practices. Drizly CEO James Cory Rellas is also required to implement an information security program in future executive roles if that new business grows to collect information on more than 25,000 consumer accounts.
Dykema attorney Sean Griffin said the FTC order should be seen alongside the prosecution of the ex-chief security officer of Uber as part of a larger push for accountability for companies and their senior executives.
“Whoever accepts that responsibility needs to work with counsel to ensure that the company complies with its legal duty with respect to data collection, data retention and cybersecurity, and they must thoroughly document that compliance,” Griffin said.
In 2018, a Drizly executive was granted access to the company’s GitHub repositories in order to participate in a one-day hackathon, according to an FTC complaint. However, the company never required multifactor authentication, failed to terminate the access and the password had been previously used on the executive’s personal accounts.
By 2020, a malicious hacker accessed the executive’s GitHub account with credentials from an unrelated breach, according to the complaint. The hacker was able to access one of Drizly’s GitHub repositories, modify AWS security settings and exfiltrated a user table with 2.5 million customer records.
Drizly never detected the breach or exfiltration of records, and later found the records were being offered for sale on the dark web, according to the filing.
In a separate 2018 incident, a Drizly employee posted the company’s AWS credentials on a public GitHub repository and the company’s AWS servers were used to mine cryptocurrency.
The FTC said personal information from Drizly’s databases has been offered for sale on the dark web, including on raidforums.com. However, the FTC complaint said the company had previously posted information on its website saying data was securely stored.
Drizly will need to destroy any data that is not considered necessary for its business and must limit future data collection, the FTC said. The company needs to put a high level executive in charge of a newly implemented information security plan, which includes employee training, controls over data access and multifactor authentication.
The order also requires Rellas to implement a similar program if he becomes a CEO, majority owner or a senior executive at a future company that collects data from more than 25,000 consumers. Rellas, who became CEO in 2018, is a co-founder of Drizly and the former COO.
“Today’s actions will not only correct Drizly’s lax data security practices, but should also put other market participants on notice,” FTC Chair Lina Khan, joined by Commissioner Alvaro Bedoya, said in a statement.
The FTC will publish a description of the consent agreements with Drizly and Rellas in the Federal Register, giving a 30-day window for public comment before deciding whether the proposed order is final.
“We take consumer privacy and security very seriously at Drizly, and we are happy to put this 2020 event behind us,” a Drizly spokesperson said via email.
Drizly hired Joe McManus as CSO following the 2020 incident.