Drizly and its CEO subject of FTC order taking action over data breach
The alcohol deliver subsidiary of Uber will have requirements on both the company and its CEO
The Federal Trade Commission (FTC) announced Monday a proposed order taking action against Drizly and its CEO in connection to a 2020 data breach that exposed information on 2.5 million consumers.
The FTC said Uber subsidiary Drizly and CEO James Cory Rellas would be required to destroy any data the online alcohol marketplace collected that is not necessary for operations, as well as to limit future personal information collection under the proposed consent order. It would also mandate the implementation of a more robust information security program and the establishment of safeguards to "protect against the security incidents outlined in the complaint," according to the FTC.
UBER TO BUY ALCOHOL DELIVERY APP DRIZLY FOR OVER $1.1 BILLION
The order further seeks to put requirements on Rellas that would follow him even if he and the online alcohol marketplace parted ways. At any future company gathering data from over 25,000 consumers where he serves as a majority owner, CEO or an executive with information security duties, he would have to put in place an information security program, according to the FTC.
"We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us," a Drizly spokesperson told FOX Business.
The FTC’s complaint alleged Drizly and Rellas did not take appropriate measures to protect customer data from hackers after receiving notification of security issues in 2018. The breach took place two years later in 2020, when a hacker gained access to the company’s database after getting into an employee’s account and obtaining the company's GitHub login credentials, according to the FTC.
HACKER WHO BREACHED FAST COMPANY BRAGS ‘ANYONE COULD HAVE DONE IT’
Two websites on the dark web subsequently put some Drizly customer personal information up for sale, the FTC alleged.
"Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness," Samuel Levine, director of the bureau of consumer protection at the FTC, said in a press release. "CEOs who take shortcuts on security should take note."
Once a description of the proposed consent order has been published in the Federal Register and undergone a 30-day comment period, the FTC will make a decision about finalizing it. The agency said it will publish it in the Federal Register "soon."