Federal Trade Commission takes action against Drizly and its CEO for security failures that exposed the data of 2.5 million cosumers

October 25, 2022 |

The Federal Trade Commission (“the FTC”) is taking action against Drizly, an online alcohol supplier, and its CEO, James Rellas, regarding a data breach that exposed personal information of 2.5 million consumers in 2020.  The data breach, it is alleged, was caused by security failures on Drizly’s part.

The core of the complaint is that Drizly:

  • failed to implement basic security measures.  They included not requiring employees to use two-factor authentication for GitHub, not limiting employee access to personal data, not having adequate written security policies, or failing to train employees on those procedure;
  • stored information on an unsecured platform. Drizly stored login credentials on GitHub contrary to the platform’s own guidance and well-publicized security incidents involving GitHub;
  • failed to monitor its network for security threats. The FTC specifically claimed that the failure included not putting a senior executive in charge of ensuring that the data was secure.  It did it monitor its network for unauthorized attempts to access or remove personal data; and
  • exposed its customers to hackers and identity thieves. After the data breach personal information that Drizly had collected about consumers was offered for sale on two different publicly accessible sites on the dark web.

The action is by way of administrative complaint, a precursor to formal litigation.  This has resulted in a consent agreement. It is a more assertive process than the Own Motion Investigation that the Australian Information Commissioner uses, on a very sparing basis, in Australia.

An interesting feature of this consent agreement is that the Chief Executive, James Rellas, is accountable for information security under the consent agreement, even if he leaves Drizly and works for another entity.  That is a procedure that the Australian Government should consider in its reforms of the Privacy Act.  Having the power to make orders against directors to ensure proper data security by way of enforceable undertakings would focus their minds.  With this approach the cost is not only to the business.  It is to its officers as well.  Having an order attached to a director wherever he or she went over a period would be something they would dread.

While the Australian enforceable undertakings are a pale version of what the FTC imposes on companies who have had a data breach or otherwise breached privacy it is worth reviewing how the FTC drafts its complaints and agreements.  They are the gold standard in terms of imposing comprehensive orders which enforce proper privacy practices over a 10 or 20 year period.  It is only a matter of time before Australia will move in this direction.

The statement provides:

The Federal Trade Commission is taking action against the online alcohol marketplace Drizly and its CEO James Cory Rellas over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers. The FTC’s proposed order requires the company to destroy unnecessary data, restricts the data that the company can collect and retain, and binds Rellas to specific data security requirements for his role in presiding over unlawful business practices.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”

Boston-based Drizly, a subsidiary of Uber, operates an online marketplace where consumers of legal drinking age can place orders with retailers to buy beer, wine, and alcohol for delivery. The company collects and stores on Amazon Web Services cloud computing service a wide range of personal information from consumers such as email, postal addresses, phone numbers, unique device identifiers, geolocation information and data purchased from third parties.

According to the FTC’s complaint, Drizly and Rellas were alerted to problems with the company’s data security procedures following an earlier security incident. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account. Drizly failed to take steps to adequately address its security problems while publicly claiming to have appropriate security protections in place. Two years later, a hacker breached an employee account, got access to Drizly’s corporate GitHub login information, hacked into the company’s database, and then stole customers’ information.

In its complaint, the FTC alleges that Drizly and Rellas:

    • Failed to implement basic security measures: The FTC alleged that despite statements claiming the company used appropriate security practices to protect consumer data, Drizly and Rellas failed to put in place reasonable safeguards to secure the personal information it collected and stored. It did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies, or train employees on those procedures.
    • Stored critical database information on an unsecured platform: According to the FTC’s complaint, Drizly stored login credentials on GitHub contrary to the platform’s own guidance and well-publicized security incidents involving GitHub. For example, in its 2018 complaint against Uber, the FTC specifically publicized and described poor security practices involving the use of Uber’s GitHub account that contributed to a data breach involving the ridesharing app.
    • Neglected to monitor network for security threats: The FTC alleged that Drizly did not put a senior executive in charge of ensuring that the company was keeping its data secure, nor did it monitor its network for unauthorized attempts to access or remove personal data.
    • Exposed customers to hackers and identity thieves: Following the company’s data breach, personal information that Drizly had collected about consumers was offered for sale on two different publicly accessible sites on the dark web, where criminals post and sell data stolen by hackers. Identity thieves and other malicious actors can use such data to open fraudulent lines of credit or commit other fraud. When unauthorized accounts are opened in their name, consumers can suffer financial harm by incurring debt and damaging their credit, the FTC alleged.

Enforcement Action

The proposed order against Drizly and Rellas includes several requirements aimed at ensuring they take steps to address the problems outlined in the FTC’s complaint. Under the proposed FTC order, Drizly and Rellas are required to:

    • Destroy unnecessary data: Drizly is required to destroy any personal data it collected that is not necessary for it to provide products or services to consumers. It must also document and report to the Commission what data it destroyed.
    • Limit future data collection: Going forward, Drizly must refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. It must also must publicly detail on its website the information it collects and why such data collection is necessary.
    • Implement an information security program: Drizly is required to implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint. This includes measures such as providing security training for its employees; designating a high-level employee to oversee the information security program; implementing controls on who can access personal data; and requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.

Notably, the order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO. In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.

This action is part of the FTC’s aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures. Last year, the Commission secured its first order requiring a firm to minimize data collection and has worked in subsequent orders to ensure companies only collect what they need to conduct their business. The Commission is also taking steps to bolster security market-wide, including by finalizing updates to the Safeguards Rule, issuing a policy statement on the Health Breach Notification Rule, and initiating an advance notice of proposed rulemaking on commercial surveillance and lax data security practices.

The FTC voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with Drizly and Rellas. Commissioner Christine Wilson voted yes but dissented in part as to the inclusion of Rellas as an individual defendant and issued a separate statement. Chair Lina M. Khan and Commissioner Alvaro Bedoya issued a joint concurring statement and Commissioner Rebecca Kelly Slaughter issued a separate concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

The 11 page Complaint has a number of interesting points:

Summary of the case

  • Drizly failed to use appropriate information security practices to protect consumers’ personal information. These failures allowed a malicious actor to access Drizly’s consumer database and steal information relating to 2.5 million consumers.
  • Rellas is responsible for this failure properly delegate the responsibility to implement, reasonable information security practices. As CEO of Drizly prior to and during the breach, Rellas hired senior executives dedicated to finance, legal, marketing, retail, human resources, product, and analytics, but failed to hire a senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly.
  • Drizly’s platform includes tools to verify a consumer’s age; monitor, track, and analyze orders; and support customer service. The platform also collects and stores both personal information that consumers provide and information that it automatically obtains from consumers’ computers and mobile devices.
  • Drizly’s databases contain:
    • names, email addresses, postal addresses,
    • phone numbers,
    • unique device identifiers,
    • order histories,
    • partial payment information,
    • geolocation information, and
    • consumer data (including, e.g., income level, marital status, gender, ethnicity, existence of children, and home value) purchased from third parties.
    • passwords that were hashed—converted into new values so as not to store the password itself in the database. The passwords were hashed using the bcrypt function or MD5, the latter of which is cryptographically broken, and widely considered insecure.

of more than 2.5 million customers.

  • Drizly also uses the GitHub software platform (“GitHub”) for the development, management, and storage of source code that supports the Drizly website and mobile apps. Through its GitHub account, Drizly maintains a number of repositories that hold company data and projects, and which at one point improperly held AWS credentials, which could be used to access the company’s production environment.
  • Drizly failed to use reasonable information security practices by failing to:
    • develop adequate written information security standards, policies, procedures, or practices; assess or enforce compliance with the written standards, policies, procedures, and practices that it did have;
    • implement training for employees (including engineers) regarding such standards, policies, procedures, and practices;
    • securely store AWS and database login credentials, by including them in GitHub repositories, and failed to use readily available measures to scan these repositories for unsecured credentials (such as usernames, passwords, API keys, secure access tokens, and asymmetric private keys);
    • impose reasonable data access controls such as:
      •  requiring unique and complex passwords (i.e., long passwords not used by the individual for any other online service) or multifactor authentication to access source code or databases;
      • enforcing role-based access controls; (3) monitoring and terminating employee and contractor access to source code once they no longer needed such access;
      • restricting inbound connections to known IP addresses; and
      • requiring appropriate authentications between Drizly applications and the production environment;
    • monitor for unauthorized attempts to transfer or exfiltrate consumers’ personal information outside the company’s network boundaries; continually log and monitor its systems and assets to identify data security events; and perform regular assessments as to the effectiveness of protection measures;
    • test, audit, assess, or review its products’ or applications’ security features; and conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases; and
    • to have a policy, procedure, or practice for inventorying and deleting consumers’ personal information stored on its network that was no longer necessary
  • Drizly’s failures led to a breach in or around July 2020 of its production environment, and the exfiltration of the personal information of 2.5 million consumers
  • in April 2018, Drizly granted a company executive access to its GitHub repositories so that he could participate in a one-day hackathon (a collaborative programming event). Following the event, Drizly failed to monitor and terminate the executive’s access, even though such access was no longer needed. Drizly failed to require unique and complex passwords or multifactor authentication for personal GitHub accounts that it granted access to its repositories, nor did it leverage Single Sign On for the GitHub organization. The executive’s GitHub account used a seven-character alphanumeric password that he had used for other personal accounts and did not use multifactor authentication although it was available
  • in early July 2020, a malicious actor:
    • accessed the executive’s GitHub account by reusing credentials from an unrelated breach.
    • used the executive’s GitHub account to access one of Drizly’s GitHub repositories containing source code, which it could use to find vulnerabilities in Drizly’s software.
    • accessed  AWS and database credentials.
    •  used the compromised credentials from Drizly’s GitHub repositories to modify the company’s AWS security settings permitting unfettered access to Drizly’s production environment, including databases containing millions of records of user information.
    • exfiltrated Drizly’s User Table, comprising more than 2.5 million records
  • Drizly employees stored credentials in the company’s GitHub repository even though GitHub security guidance and numerous publicly-reported security incidents since 2013 highlighted the dangers of storing passwords and other access keys in GitHub repositories.
  • Drizly only learned of the breach from media and social media reports describing its customers’ accounts for sale on dark web forums
  • personal information exfiltrated from Drizly’s databases was offered for sale on two different, publicly-accessible dark web forums, including raidforums.com, a website where criminals post and offer for sale information from compromised databases.
  • The GitHub compromise and breach of Drizly’s production environment was not the company’s first security incident involving GitHub. In 2018, another Drizly employee posted Drizly AWS credentials to their individual public (personal) GitHub repository. The employee was unable to delete the GitHub posting or rotate the AWS credentials prior to the public exploitation of the credentials; as a result, Drizly’s AWS servers were used to mine cryptocurrency until Drizly learned of the exploitation and changed the credentials. This put Drizly and the CEO on notice of the potential dangers of exposing AWS credentials and they should have taken appropriate steps to improve GitHub security, including implementation of policies, procedures, and technical measures to address the security practices of employees with access to Drizly’s organizational GitHub repositories

The decision relevantly provides that:

  • Drizly must:
    • within 60 days after the date of this Order, Drizly must delete or destroy all Covered Information that is not being used or retained in connection with providing products or services to Corporate Respondent’s customers, and provide a written statement to the Commission, confirming that all such data has been Deleted or destroyed specifically enumerating which types of information were Deleted or destroyed
    • refrain from collecting or maintaining any Covered Information not necessary for the specific purpose(s) provided in the retention schedule.
    • wthin 60 days  adhere to, and make publicly available on its website(s) or app(s), a retention schedule for Covered Information, setting forth:
      • the purpose or purposes for which each type of Covered Information is collected;
      • the specific business needs for retaining each type of Covered Information; and
      • a set timeframe for Deletion of each type of Covered Information that precludes indefinite retention of any Covered Information;
      • within 60 days Drizly must:
        • provide a written statement to the Commission, describing the retention schedule for Covered Information made publicly available on its website(s) or app(s);
        • establish and implement, and thereafter maintain, a comprehensive information security program that protects the security, confidentiality, and integrity of such Covered Information
          • document in writing the content, implementation, and maintenance of the Information Security Program;
          • provide the written Information Security Program and any evaluations thereof or updates to any board of directors or governing body;
          • designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;
          • assess and document, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in the
            • unauthorized collection, maintenance, alteration, use, disclosure of, or provision of access to, Covered Information; or the
            • misuse, loss, theft, alteration, destruction, or other compromise of such information;
          • design, implement, maintain, and document safeguards that control for the internal and external risks Covered Businesses identify to the security, confidentiality, or integrity of Covered Information. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the
            • unauthorized collection, maintenance, use, disclosure of, or provision of access to, Covered Information; or the
            • misuse, loss, theft, alteration, destruction, or other compromise of such information. Such safeguards must also include:
        • safeguards must also include:
          • a written information security policy and accompanying written standards and procedures that describe, at a minimum:
            • how each Covered Business implements each of the safeguards identified in this sub-Provision; and
            • how each Covered Business assesses and enforces compliance with these safeguards and any other controls it identifies in the policy and accompanying standards and procedures;
            • standards, procedures, and policy provisions mandating security education that address internal or external risks which includes, at a minimum training:
              • for employees about  security policy, standards, and procedures, including the requirements of this Order and the process for submitting complaints and concerns, to be conducted when an employee begins employment or takes on a new role, and on at least an annual basis thereafter; and
              • in secure software development principles, including secure engineering and defensive programming concepts, for developers, engineer and system administrators.
            • technical measures, standards, procedures, and policy provisions to prevent the storage of unsecured access keys or other unsecured credentials on a Covered Business’ network or in any cloud-based services;
            • policy provisions and, to the extent possible, technical measures requiring employees, contractors, or third parties to secure any accounts with access to a Covered Business’ information technology infrastructure by:
              • using strong, unique passwords; and
              • using multi-factor authentication whenever available;.
            • requiring multi-factor authentication methods for all employees, contractors, and affiliates in order to access any assets (including databases) storing Covered Information. It will not include telephone or SMS-based authentication methods and must be resistant to phishing attacks.
            • requiring multi-factor authentication methods be provided as an option for consumers.;
            • technical measures, standards, procedures, and policy provisions to:
              • log and monitor access to repositories of Covered Information in the control of a Covered Business;
              • limit access to Covered Information by, at a minimum, limiting employee and service provider access to what is needed to perform that employee’s or service provider’s job function;
              • grant and audit varying levels of access based on an employee’s need to know; and
              • periodically monitor and terminate employee and contractor accounts following inappropriate usage or termination of employment;
              • control data access for all assets (including databases) containing Covered Information or resources containing proprietary (i.e., non-open source) source code repositories, including, at a minimum:
                • restrictions of inbound connections to those originating from approved IP addresses;
                • requiring connections to be authenticated and encrypted; and
                • periodic audits of account permissions;
              • to monitor and log:
                • transfers or exfiltration of Covered Information outside each Covered Business’ network boundaries;
                • data security events and other anomalous activity;
              • to  verify the effectiveness of monitoring and logging;
              • to safeguard against unauthorized access, including:
                • an intrusion prevention or detection system;
                • file integrity monitoring tools;
                • data loss prevention tools;
                • properly configured firewalls; and
                • properly configured physical or logical segmentation of networks, systems, and databases;
              • assess the risk posed by source code to Covered Information stored on any Covered Business’ network or other assets, including, at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident involving a vulnerability related to Respondent’s source code:
                • software code review; and
                • penetration testing of each Covered Business’ software; and
              • systematically inventory Covered Information in each Covered Business’ control and Delete Covered Information that is no longer necessary;
            • assess, at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Covered Information, and modify the Information Security Program based on the results;
            • test and monitor the effectiveness of the safeguards in place at least once every 12 months and promptly (not to exceed 30 days) following a Covered Incident, and modify the Information Security Program based on the results. Such testing and monitoring must include:
              • vulnerability testing of each Covered Business’ network and applications once every 4 months and promptly (not to exceed 30 days) after a Covered Incident; and
              • penetration testing of each Covered Business’ network(s) and applications at least once every 12 months and promptly (not to exceed 30 days) after a Covered Incident;
            • select and retain service providers capable of safeguarding Covered Information they access through or receive from each Covered Business, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information; and
            • evaluate and adjust the Information Security Program in light of any changes to a Covered Business’ operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks
            • each Covered Business must evaluate the Information Security Program at least once every 12 months and modify the Information Security Program based on the results.
        • Drizly must obtain initial and biennial assessments which will start 180 days after the order and then for every two years for 20 years.
        • prior to collecting any new type of information Drizly must update its retention schedule stating:
          • the purpose or purposes for which the new information is collected;
          • the specific business needs for retaining the new information; and
          • a set timeframe for Deletion of the new information that precludes indefinite retention.
  • Drizly must notify a overnment entity of an incident and report to the FTC with the report including:
    • the date, estimated date, or estimated date range when the Covered Incident occurred;
    • a description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known;
    • a description of each type of information that was affected by the Covered Incident;
    • the number of consumers whose information was affected by the Covered Incident;
    • the acts that each Covered Business has taken to date to remediate the Covered Incident and protect Covered Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and
    • a representative copy of each materially different notice sent by each Covered Business to consumers or to any U.S. federal, state, or local government entity regarding the Covered Incident.
  •  Rellas:
    • is bound by the consent order for 10 years in any business he is:
      • a majority owner;
      • employed or has functions as a Chief Executive Officer or other senior officer with direct or indirect responsibility for information security,
    • must within 180 days ensure that the business has established and implemented, and thereafter maintains, a comprehensive information security program (“Business ISP”) that protects the security, confidentiality, and integrity of Covered Information.
    • must ensure that any business he is involved:
      • documents in writing the content, implementation, and maintenance of the Business ISP;
      • provides the written Business ISP and any evaluations thereof or updates thereto to any Relevant Business’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of the Relevant Business responsible for the Business ISP at least once every 12 months;
      • designates a qualified employee or employees to coordinate and be responsible for the Business ISP;
      • assesses and documents, at least once every 12 months, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in the
        • unauthorized collection, maintenance, alteration, use, disclosure of, or provision of access to, Covered Information; or the
        • misuse, loss, theft, destruction, or other compromise of such information;
      • designs, implements, maintains, and documents safeguards that control for the internal and external risks to the security, confidentiality, or integrity of Covered Information Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in the
        • unauthorized collection, maintenance, use, disclosure of, or provision of access to, Covered Information; or the
        • misuse, loss, theft, alteration, destruction, or other compromise of such information;
      • must assess, at least once every 12 months, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Covered Information, and modify the Business ISP based on the results;
      • tests and monitors the effectiveness of the safeguards in place at least once every 12 months, and modifies the Business ISP based on the results. Such testing and monitoring must include:
        • vulnerability testing of the Relevant Business’s network and applications once every 4 months; and
        • penetration testing of the Relevant Business’s network(s) and applications at least once every 12 months;
      • selects and retains service providers capable of safeguarding Covered Information they access through or receive from the Relevant Business, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information; and
      • evaluates and adjusts the Business ISP in light of any changes to the Relevant Business’s operations or business arrangements, new or more efficient technological or operational methods to control for risks.  At a minimum, each Relevant Business must evaluate the Business ISP at least once every 12 months and modify the Business ISP based on the results.

As is invariably the case the media coverage has been comprehensive and damaging.  CNBC’s story FTC seeks to hold Drizly CEO accountable for alleged security failures, even if he moves to another company , and Marketwatch with FTC brings action against Drizly, CEO Cory Rellas after data breach.

Leave a Reply





Verified by MonsterInsights