FTC orders Uber-owned Drizly to improve "lax" data protection approach following 2020 breach
The Uber subsidiary has been hit with an FTC complaint, as the agency looks to send a message to the wider industry
The Federal Trade Commission (FTC) has ordered Uber-owned delivery company Drizly to revamp its data-handling practises following a major 2020 data breach.
Drizly, an Uber subsidiary, fell under FTC scrutiny following its alleged mishandling of a breach that saw the data of almost 2.5 million customer records compromised and the FTC highlighted a range of inadequacies related to its approach to data protection.
Why smart businesses view a data fabric as an inevitable approach to becoming data driven
Adopting a data-driven strategy for successFree Download
In its complaint [PDF], the FTC claims that Drizly neglected to implement appropriate security practises, stored Drizly login credentials in the company’s GitHub repository against the guidance of GitHub and security best practises, failed to properly oversee sensitive data, and opened up its customers to crimes such as identity theft.
Under the terms of the FTC order, Drizly is required to destroy all personal data collected that is unnecessary to its business proceedings, limit its future collection of personal data unless it meets criteria set out in an FTC-defined retention schedule, and implement a full information security program.
To this end, employees must be provided with security training, and be required to use multi-factor authentication to access sensitive databases. Controls must be also implemented to access personal data and a dedicated role in the company will have to be created to oversee this.
The order applies to both Drizly and its CEO James Cory Rellas to whom the FTC complaint ascribed “authority to control” the acts alleged.
“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a Drizly spokesperson told IT Pro.
As he is included as an individual defendant in the complaint, and in light of the nature of executives to move between firms, the FTC voted that Rellas will be required to follow the order even if he leaves Drizly.
In detail, Rellas must implement the above information security program if he takes on a majority-owner, CEO, or senior officer role at any company that collects the information on more than 25,000 individuals.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“CEOs who take shortcuts on security should take note.”
The FTC appears to be making an example of Drizly, as well as Rellas, in order to set a precedent for the future of data handling.
In July, the agency published a warning against sensitive data misuse, and has been moving to sanction not only companies that fail to comply with data privacy regulations, but also single out individuals involved as a deterrent.
If a company violates an FTC consent order, it is subject to a civil penalty of up to $46,517 per violation.
What happened in Drizly's data breach?
The timeline of Drizly’s handling of data includes several standout incidents. In 2018, it was discovered that a Drizly employee had published the company’s AWS login information on their public GitHub repository.
Despite the company putting out a notice warning against exposing credentials, and urging for employee security policies to be implemented, sensitive credentials continued to be stored in the company repository.
The same year, a company executive was given access to the repository for a hackathon event, and this access was never revoked despite there being no need for it to be maintained.
This came to a head in 2020, when a threat actor used credentials from a previous breach to access the executive’s GitHub account and specifically target a repository containing Drizly source code, alongside AWS and database credentials.
The credentials allowed the threat actor to modify the company’s AWS security settings and access the firm’s entire production environment containing. Among other sensitive data, Drizly’s User Table was also exfiltrated.
As a result, the information of nearly 2.5 million consumers was compromised, including IP addresses, phone numbers, and geolocation data.
Data was listed for sale on dark web forums which claimed that financial data was included in the records. The FTC complaint alleges that Drizly did not detect the breach itself, but instead learned through social media reports on the incident.
This article was updated to include a statement from a Drizly spokesperson.
2022 State of the multi-cloud report
What are the biggest multi-cloud motivations for decision-makers, and what are the leading challengesFree Download
The Total Economic Impact™ of IBM robotic process automation
Cost savings and business benefits enabled by robotic process automationFree Download
Multi-cloud data integration for data leaders
A holistic data-fabric approach to multi-cloud integrationFree Download
MLOps and trustworthy AI for data leaders
A data fabric approach to MLOps and trustworthy AIFree Download