Recently, the FTC issued a proposed order against Drizly and its CEO James Cory Rellas for conducting unfair information security practices and making deceptive security statements that compromised the information of more than 2.5 million consumers in violation of the FTC Act.
According to the FTC’s complaint, Drizly granted a company executive access to Drizly’s Github repository in 2018 for a one-day hackathon. The executive never used their access again and subsequently left Drizly, yet Drizly did not terminate their access afterwards. In 2020, a hacker used the former Drizly executive’s login credentials to access Drizly’s Github repository and Amazon Web Services account information. The hacker used this information to modify Drizly’s security settings and access the records of more than 2.5 million Drizly consumers. Drizly did not become aware of the breach until media and social media reports detailed that information of its consumers were being sold on dark web forums.
This was not Drizly’s first incident involving Github. Drizly also experienced a security breach in 2018 when a Drizly employee posted the company’s Amazon Web Services credentials to their personal Github repository. The employee was unable to delete or change the credentials before they were accessed by hackers and used to access Drizly’s servers to mine cryptocurrency.
Based on this background, the FTC alleged that Drizly and Rellas misrepresented that the company used appropriate safeguards to protect consumers’ personal information and failed to: monitor its security processes and access to consumer information and require complex passwords or multifactor authentication. Importantly, the FTC appears to have used requirements from their recent revisions to the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (GLBA) as requirements that Drizly failed to uphold. Drizly does not appear to be regulated under GLBA. However, if the same standards are being applied by the FTC to companies that are not financial institutions under GLBA, this appears to be a significant broadening of the FTC’s regulatory enforcement.
This case is also an important lesson to CISOs and other senior officers who have the authority to control a company’s data security practices: an order from the FTC can follow you to any future companies that collect consumer information. Rellas had the authority to control or participate in Drizly’s data security practices, but failed to adopt a comprehensive information security program. Now Rellas must ensure he complies with the order whether he stays with Drizly or moves on to a different company.
It is clear that the FTC is becoming much more serious about cybersecurity regulation. Pursuant to the FTC’s proposed order, Drizly and Rellas are required to: delete unnecessary data, limit data collection and retention to what is necessary for the company’s specific purposes, implement a comprehensive security program, and monitor the company’s compliance.