FTC penalises Drizly for data breach
The Federal Trade Commission (FTC) has taken action against alcohol e-commerce platform Drizly and its CEO for alleged security failures that resulted in the leak of the personal information of 2.5 million users.
The FTC has ordered Drizly to destroy ‘unnecessary data’, after alleging the company’s inadequate security measures led to a data breach in July 2020, which affected 2.5 million consumers.
The proposed order also includes restricting future data collection and retention, and binds Drizly CEO James Cory Rellas to specific data security requirements.
Drizly and Rellas were alerted to the security problems in 2018, two years prior to the breach, according to the FTC, yet ‘failed to take steps’ to protect consumers’ data from hackers.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward, but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“CEOs who take shortcuts on security should take note.”
Rellas was ordered to comply to specific data security requirements, after the FTC accused him of overseeing and engaging in ‘unlawful business practices’.
A spokesperson for Drizly said: “We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us.”
Founded in 2012, Boston-headquarted Drizly claims to be the largest online marketplace for alcohol in North America. It became a subsidiary of Uber after the ride-sharing firm acquired the platform for approximately US$1.1 billion in February 2021.
The company collects and stores personal information on Amazon Web Services cloud computing service, including consumers’ email addresses, postal addresses, phone numbers, unique device identifiers, geolocation information and data purchased from third parties.
According to the FTC, in 2018, a Drizly employee posted company login details on a software development platform called Git Hub.
As a result of this security breakdown, hackers were able to use Drizly’s servers to ‘mine cryptocurrency’ until the company changed its login information.
The FTC alleged that Drizly ‘failed to take steps’ to address its security problems, while publicly claiming to have ‘appropriate’ security protections in place.
Two years later, a hacker breached an employee account and the company’s database, and then stole customers’ information, the FTC said.
FTC’s proposed order means that even if Rellas leaves Drizly, he would be required to implement an information security programme at future companies. This is the case if he moves to a business collecting information from more than 25,000 consumers, and where he is a majority owner, CEO, or senior officer with information security responsibilities.
The agreement is subject to comments from the public for 30 days after publication in the Federal Register. The FTC will then decide whether to make the proposed consent order final.
In August this year, Drizly supported underrepresented brand founders with its new Sip With Purpose initiative – including a US$4 million investment.