FTC orders Uber-owned Drizly to improve "lax" data protection approach following 2020 breach

A wine glass against a background of the Drizly logo, the company name emblazoned on the silhouette of a white bear against red
(Image credit: Getty Images)

The Federal Trade Commission (FTC) has ordered Uber-owned delivery company Drizly to revamp its data-handling practises following a major 2020 data breach.

Drizly, an Uber subsidiary, fell under FTC scrutiny following its alleged mishandling of a breach that saw the data of almost 2.5 million customer records compromised and the FTC highlighted a range of inadequacies related to its approach to data protection.


Why smart businesses view a data fabric as an inevitable approach to becoming data driven

Adopting a data-driven strategy for success


In its complaint [PDF], the FTC claims that Drizly neglected to implement appropriate security practises, stored Drizly login credentials in the company’s GitHub repository against the guidance of GitHub and security best practises, failed to properly oversee sensitive data, and opened up its customers to crimes such as identity theft.

Under the terms of the FTC order, Drizly is required to destroy all personal data collected that is unnecessary to its business proceedings, limit its future collection of personal data unless it meets criteria set out in an FTC-defined retention schedule, and implement a full information security program.

To this end, employees must be provided with security training, and be required to use multi-factor authentication to access sensitive databases. Controls must be also implemented to access personal data and a dedicated role in the company will have to be created to oversee this.

The order applies to both Drizly and its CEO James Cory Rellas to whom the FTC complaint ascribed “authority to control” the acts alleged.

“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a Drizly spokesperson told IT Pro.

As he is included as an individual defendant in the complaint, and in light of the nature of executives to move between firms, the FTC voted that Rellas will be required to follow the order even if he leaves Drizly.

In detail, Rellas must implement the above information security program if he takes on a majority-owner, CEO, or senior officer role at any company that collects the information on more than 25,000 individuals.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.

“CEOs who take shortcuts on security should take note.”

The FTC appears to be making an example of Drizly, as well as Rellas, in order to set a precedent for the future of data handling.

In July, the agency published a warning against sensitive data misuse, and has been moving to sanction not only companies that fail to comply with data privacy regulations, but also single out individuals involved as a deterrent.

If a company violates an FTC consent order, it is subject to a civil penalty of up to $46,517 per violation.

What happened in Drizly's data breach?

The timeline of Drizly’s handling of data includes several standout incidents. In 2018, it was discovered that a Drizly employee had published the company’s AWS login information on their public GitHub repository.

These were quickly exploited to use the company’s Amazon Web Services (AWS) servers to mine cryptocurrency, until the company took note and changed the credentials.

Despite the company putting out a notice warning against exposing credentials, and urging for employee security policies to be implemented, sensitive credentials continued to be stored in the company repository.

The same year, a company executive was given access to the repository for a hackathon event, and this access was never revoked despite there being no need for it to be maintained.

This came to a head in 2020, when a threat actor used credentials from a previous breach to access the executive’s GitHub account and specifically target a repository containing Drizly source code, alongside AWS and database credentials.

The credentials allowed the threat actor to modify the company’s AWS security settings and access the firm’s entire production environment containing. Among other sensitive data, Drizly’s User Table was also exfiltrated.

As a result, the information of nearly 2.5 million consumers was compromised, including IP addresses, phone numbers, and geolocation data.

Data was listed for sale on dark web forums which claimed that financial data was included in the records. The FTC complaint alleges that Drizly did not detect the breach itself, but instead learned through social media reports on the incident.

This article was updated to include a statement from a Drizly spokesperson.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.