IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FTC orders Uber-owned Drizly to improve "lax" data protection approach following 2020 breach

The Uber subsidiary has been hit with an FTC complaint, as the agency looks to send a message to the wider industry

The Federal Trade Commission (FTC) has ordered Uber-owned delivery company Drizly to revamp its data-handling practises following a major 2020 data breach.

Drizly, an Uber subsidiary, fell under FTC scrutiny following its alleged mishandling of a breach that saw the data of almost 2.5 million customer records compromised and the FTC highlighted a range of inadequacies related to its approach to data protection.

Related Resource

Why smart businesses view a data fabric as an inevitable approach to becoming data driven

Adopting a data-driven strategy for success

Whitepaper cover with title and grey square graphic, green top banner and Hurwitz logoFree Download

In its complaint [PDF], the FTC claims that Drizly neglected to implement appropriate security practises, stored Drizly login credentials in the company’s GitHub repository against the guidance of GitHub and security best practises, failed to properly oversee sensitive data, and opened up its customers to crimes such as identity theft.

Under the terms of the FTC order, Drizly is required to destroy all personal data collected that is unnecessary to its business proceedings, limit its future collection of personal data unless it meets criteria set out in an FTC-defined retention schedule, and implement a full information security program. 

To this end, employees must be provided with security training, and be required to use multi-factor authentication to access sensitive databases. Controls must be also implemented to access personal data and a dedicated role in the company will have to be created to oversee this.

The order applies to both Drizly and its CEO James Cory Rellas to whom the FTC complaint ascribed “authority to control” the acts alleged.

“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a Drizly spokesperson told IT Pro.

As he is included as an individual defendant in the complaint, and in light of the nature of executives to move between firms, the FTC voted that Rellas will be required to follow the order even if he leaves Drizly.

In detail, Rellas must implement the above information security program if he takes on a majority-owner, CEO, or senior officer role at any company that collects the information on more than 25,000 individuals.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. 

“CEOs who take shortcuts on security should take note.”

The FTC appears to be making an example of Drizly, as well as Rellas, in order to set a precedent for the future of data handling.

In July, the agency published a warning against sensitive data misuse, and has been moving to sanction not only companies that fail to comply with data privacy regulations, but also single out individuals involved as a deterrent.

If a company violates an FTC consent order, it is subject to a civil penalty of up to $46,517 per violation. 

What happened in Drizly's data breach?

The timeline of Drizly’s handling of data includes several standout incidents. In 2018, it was discovered that a Drizly employee had published the company’s AWS login information on their public GitHub repository.

These were quickly exploited to use the company’s Amazon Web Services (AWS) servers to mine cryptocurrency, until the company took note and changed the credentials.

Despite the company putting out a notice warning against exposing credentials, and urging for employee security policies to be implemented, sensitive credentials continued to be stored in the company repository.

The same year, a company executive was given access to the repository for a hackathon event, and this access was never revoked despite there being no need for it to be maintained. 

This came to a head in 2020, when a threat actor used credentials from a previous breach to access the executive’s GitHub account and specifically target a repository containing Drizly source code, alongside AWS and database credentials.

The credentials allowed the threat actor to modify the company’s AWS security settings and access the firm’s entire production environment containing. Among other sensitive data, Drizly’s User Table was also exfiltrated.

As a result, the information of nearly 2.5 million consumers was compromised, including IP addresses, phone numbers, and geolocation data.

Data was listed for sale on dark web forums which claimed that financial data was included in the records. The FTC complaint alleges that Drizly did not detect the breach itself, but instead learned through social media reports on the incident.

This article was updated to include a statement from a Drizly spokesperson.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022