Federal Trade Commission will take action against Drizly and its CEO for security lags and a 2.5 million users data breach.
As part of the enforcement measures it proposes against the marketplace and its CEO, the Federal Trade Commission wants to restrict the personal data that Drizly may gather. Federal Trade Commission reports state that Uber’s 2021 acquisition of an alcohol delivery business and its CEO, James Cory Rellas, were made aware of security concerns as early as 2018. Data belonging to 2.5 million users was compromised in 2020, and the commission has determined that this was due to their failure to safeguard user information appropriately.
The Federal Trade Commission (FTC) is proposing a settlement requiring a former tech CEO to maintain certain levels of security at any future companies he may join.
On Monday, the agency’s four commissioners announced they had voted unanimously to propose an order against the alcohol delivery system. Drizly and its CEO James Cory Rellas for reportedly not putting in place adequate security measures, which allegedly led to a data breach in 2020 that exposed the personal information of about 2.5 million customers.
In 2018, hackers took full advantage of a loophole. They exploited the company’s network for cryptocurrency mining, alerting Drizly and Rellas to the company’s data security vulnerabilities until they updated their login details. According to the release, a hacker obtained consumers’ information from Drizly two years after the company failed to fix its security concerns sufficiently.
Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness. CEOs who take shortcuts on security should take note,Samuel Levine, Director of the FTC’s Bureau of Consumer Protection
FTC Claims Against Drizly And CEO
The FTC claims that these incidents occurred because of Drizly’s inadequate security measures, such as its failure to enforce the use of two-factor authentication on GitHub, where the company kept user credentials. According to the FTC, Drizly did not have a senior executive managing company security policies or limiting employee access to consumers’ sensitive data. The FTC says that Drizly and Rellas didn’t take enough measures to secure their users’ information despite being aware of the security problems two years before the incident.
A proposed order from the FTC would require Drizly to delete any user information that isn’t strictly required for the operation of the service. In the future, it must stop collecting data that isn’t essential and clarify what data it needs from visitors to its website. It will also need to hire a top CEO to run the show and establish stringent security measures.
While the FTC often reaches agreements of this kind, Democratic Chair Lina Khan’s preference for naming the CEO and extending the settlement terms beyond his time at Drizly is shown by this case. Some progressive regulators have claimed that identifying tech leaders in their cases is necessary to send a stronger deterrent signal to other prospective violators.
Drizly would be required under the ruling to implement a complete security policy, including staff training and limits on who may access data and to erase personal data it has obtained but no longer requires.
Since Rellas presided over Drizly’s lax security, the commission has issued directives that directly affect him. Rellas will still be obligated to develop an information security strategy at any company where he serves as CEO, majority owner, or senior executive engaged in security, even if he leaves the booze delivery business. As reported by The Washington Post, this is a shift in the FTC’s strategy to dealing with businesses with weak security procedures, as the agency has seldom singled out leaders in comparable security breach instances.