FTC: Drizly Knew of Security Issues, Failed to Prevent Data Breach
Some 2.5 million Drizly consumers' personal information was exposed to hackers who penetrated the online alcohol marketplace after Drizly failed to secure vulnerabilities found 2-1/2 years earlier, the Federal Trade Commission said.
The agency specifically named James Cory Rellas, CEO, as the person responsible for the data breach. "As CEO of Drizly prior to and during the breach, Rellas hired senior executives dedicated to finance, legal, marketing, retail, human resources, product, and analytics, but failed to hire a senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly," the complaint states.
A Drizly spokesperson told us the company takes "consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us.”
The agency proposed an order that requires the company to destroy unnecessary data, restricts the data the company can collect and retain and – notably – binds Drizly's CEO to specific data security requirements not only at Drizly but any other firm at which he may work.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”
Drizly's databases "contain, among other things, names, email addresses, postal addresses, phone numbers, unique device identifiers, order histories, partial payment information, geolocation information, and consumer data (including, e.g., income level, marital status, gender, ethnicity, existence of children, and
home value) purchased from third parties," the complaint says.
"The databases also contain passwords that were hashed—converted into new values so as not to store the password itself in the database. The passwords were hashed using the bcrypt function or MD5, the latter of which is cryptographically broken, and widely considered insecure. This personal 2information can be misused to facilitate identity theft and other consumer harm. Drizly’s databases contain some or all of this personal information for more than 2.5 million consumers."
The complaint notes that Drizly uses the GitHub software platform for development, management and storage of source code that supports the Drizly website and mobile apps.
The complaint explains that in early July 2020, a hacker accessed a Drizly "executive’s GitHub account by reusing credentials from an unrelated breach. The malicious actor then used the executive’s GitHub account to access one of Drizly’s GitHub repositories containing source code, which it could use to find vulnerabilities in Drizly’s software. It was also able to access, in those same repositories, AWS and database credentials.
"Drizly employees stored these credentials in the company’s GitHub repository even though GitHub security guidance and numerous publicly-reported security incidents since 2013 have highlighted the dangers of storing passwords and other access keys in GitHub repositories.
"The intruder used the compromised credentials from Drizly’s GitHub repositories to modify the company’s AWS security settings. This modification provided the intruder unfettered access to Drizly’s production environment, including databases containing millions of records of user information. The intruder proceeded to exfiltrate Drizly’s User Table, comprising more than 2.5 million records," the complaint states.
Drizly learned of the breach through social media reports describing its customers' account for sale on dark web forums, the FTC charged, adding that this was not the first time a Drizly security incident involved GitHub. A similar incident occurred two years earlier, at which point Drizly and Rellas "were on notice of the potential dangers of exposing AWS credentials and should have taken appropriate steps to improve GitHub security," the complaint says.
In its proposed enforcement order, the FTC requires Drizly and Rellas to destroy unnecessary data, limit future data collection, and implement an information security program.