While Drizly regained control by changing its login credentials, the FTC claims it failed to put in place “reasonable precautions” to protect its users and fix its security vulnerabilities, while publicly asserting that it did. In 2020, a hacker gained access to an employee’s account and the company’s GitHub. They then hacked into Drizly’s database and stole the personal information of 2.5 million consumers, which was then sold on at least two distinct dark web websites.
According to the FTC, such incidents were made possible by Drizly’s lax security measures, such as not forcing workers to utilize two-factor authentication for GitHub, where it kept login credentials. According to the FTC, Drizly also did not restrict personnel’s access to consumers’ sensitive data and had no senior executive managing company security policies.
