FTC Acts Against Drizly for Lax Cybersecurity Protocols

The U.S. Federal Trade Commission (FTC) took action against Drizly for lax cybersecurity protocols that led to the exposure of data on 2.5 million customers in a massive hack. The FTC alleges that Drizly was warned about the lax security protocols but failed to fix the issues.

Drizly is an alcoholic beverage delivery business that Uber acquired for $1.1 billion last year. Co-founder Cory Rellas stayed on as CEO.

The FTC said it stored databases that contained information about customers’ email, postal addresses, phone numbers, unique device identifiers, geolocation information and data purchased from third parties on Amazon Web Services’ (AWS) cloud computing service.

It initially went on the FTC’s radar when a Drizly employee posted login information for the company’s cloud computing account on GitHub in 2018. Hackers could use Drizly’s computing resources to mine cryptocurrencies until it changed its login information.

The FTC’s allegations include:

  • Failure to implement basic security measures, including reasonable safeguards for customers’ information. Drizly failed to implement two-factor authentication (2FA) for its GitHub account’s login. It also did not limit employees’ access to customers’ data, create adequate security protocols, or train employees on how to recognize and counter common cybersecurity threats.
  • Storage of login information on an insecure platform. Essentially, GitHub? Really? The Drizly employee went against company guidance and ignored past security incidents involving GitHub when the login information for its cloud storage was saved on GitHub. The FTC cited a similar 2018 complaint against parent company Uber involving storage of sensitive information on GitHub.
  • Failure to monitor the network for cybersecurity threats. Drizly did not have an executive in charge of securing data on its network and monitoring its network for unauthorized access.
  • Hackers and identity thieves may now have access to customers’ information. The information could include passwords that customers might reuse on other websites. Sensitive information like this can be traded on Dark Web sites. Law enforcement agencies frequently try to squish Dark Web marketplaces, but it’s like playing advanced Whack-A-Mole. The FTC recommends changing your passwords, turning on 2FA, and reducing your risk of being a victim of identity theft if you get a notification that one of your online accounts got hacked.

A Look at Social Engineering Attacks

Social engineering attacks are among the most common cybersecurity threats that businesses face. The below video takes a closer look at them.

FTC’s Proposed Order Requires Drizly to Improve Cybersecurity

This might sound like closing the barn door after the horses have gotten loose, but the FTC proposed requiring Drizly to delete customer data that it doesn’t need, limit future data collection, and implement an improved cybersecurity program.

Drizly will be required to document the steps it is taking to comply with the FTC’s requirement to delete unnecessary data. It will also have to publicly publish information on the data it collects and why it is necessary.

The improved security program will include a more robust security policy, better training for employees, better control over who can access customer data, and multi-factor logins for access to customer data. The FTC likely considered this important because phishing and “social engineering” attacks targeting unwary employees are common ways for hackers to gain access to companies’ internal networks.

Kevin Metnick described his misadventures as a notorious hacker who mastered social engineering attacks in his book, Ghost in the Wires, for instance. As a reformed hacker, he later built a successful career as a cybersecurity consultant.

A Look at Common Cybersecurity Threats

In a rarity, the FTC also held Drizly CEO James Cory Rellas accountable for the cybersecurity lapses that led to the exposure of data on 2.5 million customers. Citing CEO’s ability to hop from company to company regardless of their track record, it proposed requiring Rellas to implement a reasonable security policy at every company he works at in the future.

FTC commissioners voted unanimously to approve the proposed order, though Commissioner Christine Wilson objected to holding Rellas personally accountable for the cybersecurity lapse in a separate statement.

In its news release announcing the proposed order holding Drizly accountable for the breach, the FTC cited its work on updating the Safeguards Rule, a policy statement on the Health Breach Notification Rule, and an advance notice of proposed rulemaking on commercial surveillance and lax data security practices.

A consent order like the one that the FTC issued against Drizly comes with civil penalties of up to $46,517 for each violation.