The FTC seeks to sanction Drizly and its CEO for a breach that exposed the data of 2.5 million users

The Federal Trade Commission wants to limit the amount of personal information Drizly can collect as part of its proposed enforcement actions against the marketplace and its CEO. According to the FTC, the alcohol delivery service that Uber had bought in 2021 and its CEO, James Cory Rellas, were alerted to security issues in 2018. The commission found that they had not adequately protected their users’ information. which enabled a data breach in 2020 that exposed the data of 2.5 million users.

According to the original FTC complaint, a Drizly employee posted the company’s logins for his Amazon Web Services (AWS) cloud account on GitHub in 2018. Drizly stores users’ details, such as their emails. , postal addresses, phone numbers and even your unique number. device IDs, geolocation information, and any other data purchased from third parties that can be linked to them on AWS. Hackers were able to use those logins to infiltrate Drizly’s servers and use them to mine cryptocurrency.

While Drizly regained control by changing its login information, the FTC says it failed to put “reasonable safeguards” in place to protect its users and address its security concerns despite publicly stating that it had. In 2020, a hacker was able to break into an employee’s account and access the company’s GitHub. They then hacked into Drizly’s database and stole the personal information of 2.5 million customers, which had since been put up for sale on at least two different websites on the dark web.

The FTC says those events were made possible by Drizly’s poor security practices, such as not requiring employees to use two factors for GitHub, where it stored login information. Drizly also did not limit worker access to users’ personal data, the FTC adds, and did not have a senior executive overseeing its security practices.

Under the FTC’s proposed orders, Drizly will have to destroy any personal data it has previously collected that is not necessary to provide its services. You must also refrain from collecting unnecessary data in the future and publicly disclose the information you require from users on your website. In addition, you will need to implement a comprehensive security program and appoint an executive to oversee your operations.

The commission also issued orders that apply personally to Rellas because of his role in presiding over Drizly’s lax security practices. If Rellas decides to leave the alcohol delivery service, he will still need to implement an information security program at future companies where he assumes the role of CEO, majority owner or senior executive involved in security. What washington post points out, the FTC has rarely singled out executives in similar security breach cases in the past, and this indicates a new focus on dealing with companies with inadequate security measures.

Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement:

“Our proposed order against Drizly not only restricts what the company can withhold and collect in the future, but also ensures that the CEO faces consequences for the company’s carelessness. CEOs who cut corners on security should take notes”.

The FTC will publish these proposed orders soon and they will be open for public comment for 30 days before the commission decides whether to make them official.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at time of publication.

Leave a Reply

Your email address will not be published. Required fields are marked *