FTC Intends to Fine Drizly and its CEO for Exposing Customers' Data in 2020

Drizly has inadequate security measures, the commission said.

The Federal Trade Commission (FTC) proposes enforcement steps against the online alcohol delivery platform Drizly and its CEO. One is limiting the amount of personal information the firm may gather, Engadget reported.

The FTC claimed that in 2018, both the CEO of the Uber-owned Drizly, James Cory Rellas and the company itself were made aware of security concerns. The commission ruled that the company did not take reasonable precautions to secure the personal information of its users, which led to a data breach in 2020 that compromised its 2.5 million customers.

The Data Breach Incident

A Drizly employee apparently leaked the company's Amazon Web Services (AWS) log in credentials on GitHub in 2018, prompting an investigation by the FTC.

Emails, physical addresses, phone numbers, device identifiers, geolocation data, and any other data Drizly purchases from third parties that may be used to identify an individual user are all stored at AWS. Those credentials gave hackers access to Drizly's servers, which they then used to generate bitcoin.

Although Drizly regained authority by altering its login credentials, the FTC argued the company still did not take "reasonable steps" to protect its customers and fix its security flaws, despite its public assertion to the contrary.

Later in 2020, a hacker gained access to GitHub using an employee's account. The hackers then got access to Drizly's database and stole the personal information of 2.5 million consumers, which was subsequently put up for sale on at least two distinct dark web websites.

FTC's Proposed Ruling, Affecting the Company

The FTC believed that these incidents occurred because of Drizly's inadequate security measures, such as not forcing workers to utilize two-factor authentication for GitHub, where the company kept login credentials. According to the commission, Drizly did not have a senior executive managing company security policies or limiting employee access to consumers' sensitive data.

A proposed order from the FTC would require Drizly to delete any user information that is not strictly required for the operation of the service. In the future, it must stop gathering data that is not essential and clearly state on its website what data it collects and stores. It will also need to hire a prominent Executive to supervise the operation and establish stringent security measures.

FTC's Proposed Ruling, Affecting the CEO

Due to Rellas' leadership position in overseeing Drizly's weak security, the commission has also imposed directives that significantly impact him.

Rellas will still be obligated to develop an information security program at any company where he serves as CEO, majority owner, or senior executive engaged in security, even if he chooses to quit the liquor delivery business.

The FTC has taken a new strategy for dealing with businesses with weak security procedures, as noted by The Washington Post, while previously, the commission rarely targeted leaders in similar security breach instances.

Soon, the FTC will put out these proposed orders. Public comments will be accepted for 30 days before the commission decides whether or not to make them official.

This article is owned by Tech Times

Written by Trisha Kae Andrada

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics