Uber’s Drizly data breach compromises information of 2.5 million customers

Facts in a nutshell 

• The Federal Trade Commission (FTC) is taking action against online alcohol marketplace, Drizly and its CEO James Cory Rellas.  

• This action comes after a 2020 security incident breached the data of roughly 2.5 million customers.  
• A security incident in 2018 uncovered weaknesses in Drizly’s information security program.  
• "Drizly & Rellas were alerted to security problems two years before the breach, yet they failed to act. Instead, they stored key information on an unsecured platform, didn't monitor for security threats, and exposed customers to hackers & identity thieves," FTC Chair Lina Khan tweeted on Monday. 
• As a result, Drizly must comply with many short-term and long-term conditions. Some of these conditions must be upheld for the next twenty years. 
• CEO Rellas must also personally abide by court-ordered conditions for a decade, regardless of where he works. He has to implement cybersecurity programs at any future business he works for where he is CEO or majority owner and where the company collects personal data from more than 25,000 people. 

What happened exactly? 

• Drizly collects and stores a wide range of personal customer information. 
• This personal information includes postal addresses, geo-location data, email addresses, phone numbers and unique device identifiers. 
• Two years after a 2018 security incident that left Drizly's servers unprotected, a hacker was able to access Drizly's corporate GitHub through an employee account, hack into the company's database, and steal this information. 
• Drizly’s CEO was made aware of the security problems in 2018 but failed to act on them and protect their customers’ information.  

• As a result, the personal information of 2.5 million Drizly customers was compromised in 2020.  

Drizly stated “with 100% certainty” that “no financial information was compromised”. However, this is not the first time a data-collecting company has suffered a breach of this level. In fact, Drizly’s parent company, Uber, has experienced multiple security incidents in the last decade. Tech companies are often the target of large-scale hacking and should take special care to protect the data they collect and store.  

What were the allegations? 

Drizly and its CEO face several allegations connected to their 2020 breach.  

• First, the FTC alleged that Drizly and its CEO failed to implement basic security measures that would have protected their customers’ personal information. 

• Drizly did not require two-factor authentication for employee GitHub accounts. 
• They did not limit employee access to customer information. 
• They did not document appropriate security policies or provide employees with sufficient training on these policies. 

• Secondly, Drizly violated GitHub’s security guidelines by storing sensitive information (login credentials) on their unsecured platform.  
• Additionally, Drizly left their networks unmonitored and unprotected from unauthorised access. They failed to appoint a senior executive in charge of their data security. 

• Following the breach, the stolen customer information was offered on the dark web. When personal information is exposed to identity thieves, hackers and other malicious actors, they can use someone else’s identity and commit fraud in their name. 

Typically, C-suite executives move from one company to another after a scandal. However, the FTC has responded to this with a strict order of action. This order will follow Rellas for ten years even if he chooses to move to another company.  

Samuel Levine, the FTC’s Director of the Bureau of Consumer Protection, said: “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces the consequences for the company’s carelessness”. 

So, what happened next? 

What action did the FTC take against Drizly and its CEO? 

This incident impacted millions of customers. Therefore, both Drizly and Rellas will be held accountable. The FTC has proposed the following conditions that should be followed on an organisational and personal level.  

Requirements for Drizly: 

• They must destroy all personal information that is not necessary for their operations. They must also inform the FTC of what information has been destroyed. 
• They must limit information collection and storage to what is necessary. These categories of information must be specified in a retention schedule along with their purpose/use. 
• They must implement a comprehensive information security program. This program must address the security issues mentioned in the complaint. That means they must:  

• Train employees, 
• Assign a high-level employee to monitor information security, 
• Limit who can access personal data, 
• And implement multi-factor authentication measures for data access. 

Rellas will likely become a majority owner or C-suite officer at another large company in the future. If this company also collects consumer information and happens to have more than 25,000 employees, Rellas must take on personal responsibilities for ten years once they are finalised. 

Requirements for the CEO: 

• He must document, in writing, the content, implementation and maintenance of the company’s information security program. 
• He must notify the board of directors and other senior company executives of the information security program. 
• He must assign specific personnel to manage and take responsibility for the information security program. 
• Annually, he must identify and record the organisation's security risks and whether its security measures are adequate.

• He must annually test and monitor the effectiveness of security measures. It includes conducting vulnerability testing at least every four months and penetration testing at least every twelve months. 
• He must thoroughly evaluate service providers and require them to implement sufficient security measures. It must be stated in a contract.  
• He must evaluate and modify the information security program at least once a year in line with business and technological changes. 

Data breaches have severe consequences. Therefore, those responsible must be held accountable. Because of this, the FTC is taking more substantial steps to ensure the confidentiality, integrity, and availability of personal information.  

In a joint statement, the FTC’s Chair and Commissioner Lina M. Khan and Alvaro M. Bedoya cited Drizly’s “lax data security practises" and warned other “market participants” to limit their “baseline collection and retention of data”. They also highlighted the importance of upholding accountability to ensure those responsible are “better incentivised to meet their legal obligations.” 

Key takeaways 

• Acknowledging, reporting, and mitigating information security risks is crucial to avoiding security incidents. Failure to do so can have personal consequences on executives, as in the case of Rellas and Drizly.  
• Fundamentally, information security is a leadership issue, and senior officers should take responsibility for overseeing such matters, particularly by championing policies and procedures and completing trainings.  
• Put in place multi-factor authentication whenever you can. It is a quick win that pays dividends. 
• Ensure that data collection and storage are limited to what is necessary. You can’t lose what you don’t have. Collecting and storing data you don’t need creates unnecessary risk. 
• Information security and data protection laws are constantly evolving, so staying updated on what is required of you and your company is essential.   

Drizly’s and Rellas’ lack of preparation to tackle pre-existing security issues cost them their company's reputation and compromised the data security and trust of millions of customers.

However, data breaches can be prevented. Get in touch with our experts to find out how.