As part of the proposed enforcement measures against the marketplace and its CEO, the Federal Trade Commission seeks to restrict the amount of personal information Drizly may gather. According to the FTC, the alcohol delivery firm that Uber bought in 2021 and its CEO, James Cory Rellas, were warned about security concerns in 2018. The commission determined that they had failed to sufficiently safeguard their customers’ information, allowing a data breach in 2020 that exposed the personal information of 2.5 million individuals.
According to the FTC’s initial complaint, a Drizly employee uploaded the company’s Amazon Web Services (AWS) cloud account logins on GitHub in 2018. Drizly saves user information such as emails, postal addresses, phone numbers, even unique device identifiers, geolocation information, and any other data acquired from third parties that may be connected back to them on AWS. Hackers were able to exploit those logins to get access to Drizly’s servers and mine bitcoin.
While Drizly regained control by changing its login credentials, the FTC claims it failed to put in place “reasonable precautions” to protect its users and fix its security vulnerabilities, while publicly asserting that it did. In 2020, a hacker gained access to an employee’s account and the company’s GitHub. They then hacked into Drizly’s database and stole the personal information of 2.5 million consumers, which was then sold on at least two distinct dark web websites.
According to the FTC, such incidents were made possible by Drizly’s lax security measures, such as not forcing workers to utilize two-factor authentication for GitHub, where it kept login credentials. According to the FTC, Drizly also did not restrict personnel’s access to consumers’ sensitive data and had no senior executive managing company security policies.
According to the FTC’s proposed orders, Drizly will be required to erase any personal data it previously obtained that is no longer required to offer its services. It will also be required to stop collecting unneeded data in the future and to openly disclose the information it needs from users on its website. It will also need to put in place a thorough security policy and hire an executive to manage its operations.
Due to his participation in presiding over Drizly’s inadequate security standards, the commission has also imposed directives that individually apply to Rellas. Even if Rellas chooses to quit the alcohol delivery business, he will still be obligated to develop an information security program at any future company where he serves as CEO, majority owner, or senior executive engaged in security. According to The Washington Post, the FTC has seldom targeted leaders in such security breach instances in the past, indicating a new strategy to dealing with corporations with poor security procedures.