FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers

The Federal Trade Commission is taking action against the online alcohol marketplace Drizly and its CEO James Cory Rellas over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers. The FTC’s proposed order requires the company to destroy unnecessary data, restricts the data that the company can collect and retain, and binds Rellas to specific data security requirements for his role in presiding over unlawful business practices.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”

Boston-based Drizly, a subsidiary of Uber, operates an online marketplace where consumers of legal drinking age can place orders with retailers to buy beer, wine, and alcohol for delivery. The company collects and stores on Amazon Web Services cloud computing service a wide range of personal information from consumers such as email, postal addresses, phone numbers, unique device identifiers, geolocation information and data purchased from third parties.

According to the FTC’s complaint, Drizly and Rellas were alerted to problems with the company’s data security procedures following an earlier security incident. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account. Drizly failed to take steps to adequately address its security problems while publicly claiming to have appropriate security protections in place. Two years later, a hacker breached an employee account, got access to Drizly’s corporate GitHub login information, hacked into the company’s database, and then stole customers’ information.

In its complaint, the FTC alleges that Drizly and Rellas:

• Failed to implement basic security measures: The FTC alleged that despite statements claiming the company used appropriate security practices to protect consumer data, Drizly and Rellas failed to put in place reasonable safeguards to secure the personal information it collected and stored. It did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies, or train employees on those procedures.

• Stored critical database information on an unsecured platform: According to the FTC’s complaint, Drizly stored login credentials on GitHub contrary to the platform’s own guidance and well-publicized security incidents involving GitHub. For example, in its 2018 complaint against Uber, the FTC specifically publicized and described poor security practices involving the use of Uber’s GitHub account that contributed to a data breach involving the ridesharing app.

• Neglected to monitor network for security threats: The FTC alleged that Drizly did not put a senior executive in charge of ensuring that the company was keeping its data secure, nor did it monitor its network for unauthorized attempts to access or remove personal data.

• Exposed customers to hackers and identity thieves: Following the company’s data breach, personal information that Drizly had collected about consumers was offered for sale on two different publicly accessible sites on the dark web, where criminals post and sell data stolen by hackers. Identity thieves and other malicious actors can use such data to open fraudulent lines of credit or commit other fraud. When unauthorized accounts are opened in their name, consumers can suffer financial harm by incurring debt and damaging their credit, the FTC alleged.

Enforcement Action

The proposed order against Drizly and Rellas includes several requirements aimed at ensuring they take steps to address the problems outlined in the FTC’s complaint. Under the proposed FTC order, Drizly and Rellas are required to:

• Destroy unnecessary data: Drizly is required to destroy any personal data it collected that is not necessary for it to provide products or services to consumers. It must also document and report to the Commission what data it destroyed.

• Limit future data collection: Going forward, Drizly must refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. It must also must publicly detail on its website the information it collects and why such data collection is necessary.

• Implement an information security program: Drizly is required to implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint. This includes measures such as providing security training for its employees; designating a high-level employee to oversee the information security program; implementing controls on who can access personal data; and requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.

Notably, the order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO. In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.

This action is part of the FTC’s aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures. Last year, the Commission secured its first order requiring a firm to minimize data collection and has worked in subsequent orders to ensure companies only collect what they need to conduct their business. The Commission is also taking steps to bolster security market-wide, including by finalizing updates to the Safeguards Rule, issuing a policy statement on the Health Breach Notification Rule, and initiating an advance notice of proposed rulemaking on commercial surveillance and lax data security practices.

The FTC voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with Drizly and Rellas. Commissioner Christine Wilson voted yes but dissented in part as to the inclusion of Rellas as an individual defendant and issued a separate statement. Chair Lina M. Khan and Commissioner Alvaro Bedoya issued a joint concurring statement and Commissioner Rebecca Kelly Slaughter issued a separate concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.