Online liquor delivery company Drizly was found guilty of negligence that led to the data breach of nearly 2.5 million consumers. The CEO of Drizly James Cory Rellas was accused of security failures after the company failed to take precautionary measures to secure their systems despite being alerted of the issues two years prior to the cyberattack.
As per reports, a cybercriminal managed to hack into an employee’s account, access Drizly’s corporate GitHub login details and steal consumer data from the systems. Following the latest data breach, the Federal Trade Commission lodged a complaint against Drizly and James Cory Rellas for failing to take necessary actions to secure its systems.
The previous warning to Drizly
As per an FTC complaint, an employee of Drizly published the company’s cloud computing account credentials on GitHub in 2018. This led to a cryptocurrency mining incident using Drizly’s server and it stopped when the company changed its login credentials.
Drizly is headquartered in the United States and is a subsidiary of Uber, the ride-sharing service. The company uses Amazon web services cloud computing service to store the personal information of its consumers. It includes phone numbers, postal addresses, emails, unique device identifiers, geolocation information, and also data purchased from third parties.
As per the news press release published on the website of the FTC on October 24, Samuel Levine, the director of the FTC bureau of consumer protection stated that such sanctions will help CEOs who take shortcuts on security. “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” he said.
Why the complaint was filed
FTC alleged the company of mainly four negligence. They were:
- Failing to implement basic security measures
- Storing critical database information on an unsecured platform i.e, on GitHub despite the 2020 hacking incident
- Neglecting to monitor the network for security threats.
- Exposing customers to hackers and identity thieves. The FTC stated that the stolen user data was sold on the dark web which posed a severe security threat to those users as their information could have been duplicated or left online for use in other cyber-attacks.
Several actions were proposed for Drizly to comply with including the destruction of the unnecessary data the company has collected, limiting future data collection and employing an information security program that would look after the security measures of the systems.