They say you can get pretty much anything delivered to your door and for customers of Drizly, that included beer, wine, distilled spirits – and the fall-out from Drizly’s alleged security lapses that led to the theft of personal information about more than 2.5 million consumers and its reappearance on the dark web. A proposed settlement with Drizly addresses the company’s actions – and inactions – alleged to be unfair and deceptive, in violation of the FTC Act. But there are additional sit-up-and-take-notice provisions, some of which address Drizly’s data collection policies going forward. Another notable development is that the complaint names Drizly CEO James Cory Rellas as individually liable for certain violations and the proposed settlement imposes information security provisions that will apply to Rellas personally in future business endeavors.
Drizly operates an e-commerce platform that enables local retailers to sell alcohol online to people of legal drinking age. A customer places an order on Drizly’s website or app and the retailer facilitates the delivery. In the course of its business, Drizly gathered a slew of information from customers. Drizly assured them that “[a]ll information we collect is securely stored” and that the company uses “standard security practices such as encryption and firewalls to protect the information we collect from you.”
That’s what Drizly promised, but FTC says the company engaged in unfair and deceptive practices that tell a different story. You’ll want to read the complaint for a behind-the-scenes look into the allegations, but here’s the shorthand version.
A key starting point is the company’s information technology infrastructure. Drizly used Amazon Relational Database Service – a third-party cloud service provided by Amazon Web Services (AWS) – to host the software that ran its e-commerce platform. That’s where the company stored a significant amount of customer data, including passwords. Although the passwords were hashed – converted into new values so they aren’t stored in plain text – Drizly used at least one obsolete method the FTC described as “cryptographically broken, and widely considered insecure.”
Drizly also used the GitHub software platform to develop, manage, and store source code for the company’s website and apps. In April 2018, Drizly gave one of its executives access to the GitHub repositories for a one-day event. However, the FTC says Drizly didn’t turn off the executive’s access after that, even though the person had no business need for the data. However, in accessing GitHub, the executive reused a seven-character password the executive had already used for personal accounts – and people concerned about password security can guess what happened next.
At some point, a malicious actor came into possession of passwords stolen during a data breach at another company. Among the purloined data was the seven-character password the Drizly executive had reused on GitHub. In July 2020, an intruder used the recycled password to access Drizly’s code in GitHub.
This is where the complaint begins to sound like the old “For want of a nail . . .” proverb. Once in Drizly’s GitHub repositories, the intruder was able to access Drizly’s AWS and database credentials. The intruder then used the compromised credentials to modify Drizly’s AWS security settings. That modification gave the intruder unfettered access to Drizly’s user databases. The upshot: the intruder stole data about more than 2.5 million consumers.
The FTC says Drizly didn’t detect the breach on its own. The company allegedly learned from press and social media reports that its customers’ accounts were for sale on the dark web. But to quote Yogi Berra, for some Drizly executives, news of the breach should have been “déjà vu all over again.” That’s because Drizly had experienced a similar security incident in 2018 when an employee posted Drizly’s AWS credentials to their publicly accessible, individual GitHub repository. As a result of that initial episode, Drizly’s AWS servers were used to mine cryptocurrency until Drizly ultimately changed the credentials. Therefore, according to the complaint, Drizly was “on notice of the potential dangers of exposing AWS credentials and should have taken appropriate steps to improve GitHub security.”
What could Drizly have done in an effort to prevent the major breach of consumer information in 2020? A lot, says the FTC. Again, the complaint offers a detailed analysis, but here are just some of Drizly’s missteps the FTC says exacerbated the impact of the breach:
- Drizly failed to develop and implement adequate written security standards and train employees, including engineers, on complying with company policies.
- Drizly failed to securely store AWS and database login credentials.
- Drizly failed to require unique, complex passwords that employees hadn’t used elsewhere and didn’t end access when an employee or contractor no longer had a legitimate need for sensitive information.
- Drizly failed to adequately monitor for unauthorized attempts to transfer consumer data outside its network.
- Drizly didn’t appropriately test the security features of its products and apps and failed to conduct periodic vulnerability testing.
The FTC also alleges that Drizly didn’t have procedures for inventorying and deleting consumer information that no longer should have been on its network. Put a pin in that one for a moment because it’s a key reason for new provisions in the FTC’s proposed order.
To settle the case, Drizly has agreed to implement improved security practices that have become standard in FTC data cases. Now for those additional order provisions crafted to address the violations alleged in the complaint and to protect consumers in the future. Taking the FTC’s recent CafePress settlement one step further, Part II of the proposed Drizly order requires the company to delete or destroy broad categories of consumer information in its possession if the data isn’t being used or retained in connection with providing products or services. Part II also requires the company to “refrain from collecting or maintaining” broad categories of consumer information not necessary for specific purposes described in a retention schedule – a new provision that warrants your particular attention. Part III of the proposed order requires Drizly to display on its website and apps a retention schedule for broad categories of consumer data, explaining why Drizly is collecting the information in the first place, why it needs to hold on to it, and a timeframe for eventual deletion. If you’re asking yourself if that mandates a company-wide policy of data minimization, the answer is yes, it does.
Those provisions are tied closely to that put-a-pin-in-it complaint allegation regarding Drizly’s failure to have a procedure in place for deleting consumer information that no longer belonged on its network. As the complaint alleges, Drizly wasn’t using that data for business purposes, but it was certainly valuable to the intruder who took advantage of the company’s lax security to grab it.
Now for the provision that holds Drizly CEO Rellas individually liable for certain violations. You’ll want to read the complaint for a detailed description of his alleged conduct, but here’s the part corporate executives need to hear. The proposed order requires that for the next 10 years, if CEO Rellas is the majority owner of any business that collects consumer information or is employed in certain other high-level roles, he must ensure that the company implements an information security program. In other words, that obligation will follow him for the next decade. So for the executives and the attorneys who represent them who have assumed they don’t need to be concerned about individual liability in data security cases, the order against Rellas should disabuse them of that notion.
What can other companies take from the FTC’s action against Drizly and Rellas?
Individual corporate officers may be liable in their individual capacities. Don’t make the mistake of thinking that incorporating a business shields officers from liability in consumer protection actions, including data security cases. It’s a fact-based analysis, but in appropriate instances, the FTC may sue the corporation and corporate officers. And if the person under order has certain high-level responsibilities, compliance obligations may follow regardless of where he or she works in the future. The case against Rellas may be the latest FTC action alleging individual liability in a data security case, but it probably won’t be the last. The message for corporate executives is that the data security buck stops with you.
When you no longer have a business need to maintain consumer information, dispose of it securely. Holding on to consumer data “just because” is a bad business practice. We’ve said it before, but it bears repeating. Collect only what you need, keep it safe while it’s in your possession, and dispose of it securely when that business justification has passed. The new data retention limit provision in the proposed Drizly order drives that point home and should motivate other businesses to consider a data housecleaning.
Learn the lessons of earlier security breaches. Had Drizly changed its practices in response to the 2018 episode, the 2020 breach might not have happened. Furthermore, the FTC’s well-publicized 2018 action against Uber also stemming from a GitHub-related breach should have sounded an alarm that Drizly and other companies were overdue for a compliance check. If your business experiences an incident – or when you hear about an incident at another company – convene a meeting of your Security “A Team” to consider changes your company should make.
While we’re on the subject, have a Security “A Team” in place. The complaint alleges that CEO Rellas hired senior executives for finance, legal, marketing, retail, human resources, product, and analytics, but failed to hire a senior executive responsible for the security of consumers’ personal information. A key component of any corporate data security program is a qualified top-level person at the helm.
Train your staff about the dangers of reusing passwords. Recycling is great for glass and cans, but as the FTC complaint demonstrates, the consequences of recycling passwords can be catastrophic. Hackers play the long game. They know that at least some passwords stolen from one company will be reused by people in other contexts. The most effective training isn’t just a series of “don’ts.” Giving a to-the-point explanation of why practices like password reuse are harmful may encourage more care in your workforce.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.