FTC Takes Rare Step in Bringing an Enforcement Action Against Drizly and Its CEO

Database Breach

Drizly used Amazon Relational Database Service (“Amazon RDS”), a cloud service provided by Amazon Web Services (AWS), to host the software that ran Drizly’s e-commerce platform. Drizly stored customer data, including passwords, on the database. Although the passwords were hashed, Drizly used an obsolete method that the FTC described as “cryptographically broken, and widely considered insecure.”¹ Drizly also used GitHub’s software platform to develop, manage and store source code for its e-commerce platforms.²

The 2020 breach arose after Drizly granted a company executive access to its GitHub repositories for participation in a one-day hackathon in 2018. After the event, Drizly failed to monitor or terminate the executive’s access to the repository, which contained both company site source code and production database credentials. This continued access was unwarranted, according to the complaint, since the executive never accessed the repositories after the hackathon.

Drizly did not require unique or complex passwords nor multifactor authentication for personal GitHub accounts. As a result, the executive “used a seven-character alphanumeric password that he had used for other personal accounts and did not use multifactor authentication although it was available.”³ In July 2020, a malicious actor gained access to Drizly’s GitHub repositories by reusing the executive’s credentials from an unrelated breach. The malicious actor accessed source code, exposing vulnerabilities in Drizly’s software, along with AWS and database credentials. The malicious actor used the compromised credentials to modify the company’s AWS security settings, gaining unfettered access to Drizly’s production environment, including consumers’ personal data.

Drizly’s Alleged Cybersecurity Failures

The complaint alleges that the breach was exacerbated by several security failures by Drizly and its CEO James Rellas, namely failing to:

1. Develop and implement adequate written security standards, or train employees, including engineers, on complying with company policies.
2. Securely store login credential and to use readily available measures to scan repositories for unsecured credentials.
3. Monitor its network for security threats.⁴
4. Implement basic security measures (e.g., multifactor authentication, unique passwords and role-based controls).
5. Appropriately test the security features of its products and apps, and failure to conduct periodic vulnerability scans.
6. Have a policy, procedure or practice for inventorying and deleting costumers’ personal information stored on its network that was no longer necessary.⁵

The FTC argued that Drizly should have foreseen such an attack. “For example, the Commission’s 2018 Complaint against Uber Technologies Inc. specifically publicized and described credential reuse, lack of multifactor authentication, and insecure AWS credentials exposed through GitHub repository code as failures contributing to the breach and exposure of consumers’ personal information.”⁶ Drizly itself suffered a similar breach in 2018 involving GitHub, where an employee posted Drizly AWS credentials to the employee’s public, personal account. The compromised credentials were used to mine cryptocurrency on Drizly’s AWS servers until Drizly learned of the event.⁷

Enforcement Action for both Drizly and CEO James Rellas

The FTC’s enforcement action applies to both Drizly and its CEO, personally. The complaint alleges that Rellas failed to hire a senior executive responsive for the security of consumers’ personal information collected and maintained by Drizly. Under the order, Drizly is required, among other things, to:

1. Destroy unnecessary personal data (and document and report to the FTC what data is destroyed).
2. Limit data collection and storage unless necessary for a specified purpose outlined in a retention schedule (and publicly detail on its website data collected and why it is necessary).
3. Implement a comprehensive information security program and establish safeguards as outlined in the complaint.
4. Conduct biennial security assessments for the next 20 years.

Notably, the order will follow Drizly CEO James Cory Rellas to future businesses. At any business where he is the majority owner or functions as a CEO or senior official, the order requires him to implement a security program if that business collects, uses or stores information from 25,000 or more consumers. To satisfy this security program requirement, Rellas must, at a minimum:

1. Document the content, implementation and maintenance of the information security program in writing.
2. Provide the written information security program, including any evaluations or updates thereof, to the board of directors and other leadership at least annually.
3. Designate personnel to coordinate and be responsible for the information security program.
4. Assess and document security risks to the organization and the sufficiency of security safeguards at least annually.
5. Test and monitor the effectiveness of safeguards at least annually, including vulnerability testing at least every four months; and penetration testing at least every 12 months;
6. Select and retain capable service providers and contractually require them to implement adequate security safeguards.
7. Evaluate and adjust the information security program in light of business and technological changes at least annually.

FTC Chair Lina Khan and Commissioner Alvaro M. Bedoya said in a joint statement that “[t]oday’s settlement sends a very clear message: protecting Americans’ data is not discretionary. It must be a priority for any chief executive.”⁸

The FTC voted 4-0 in support of the order, but the commission’s sole Republican, Christine Wilson, dissented to the decision to name Rellas: “By naming Rellas, the Commission has not put the market on notice that the FTC will use its resources to target lax data security practices. Instead, it has signaled that the agency will substitute its own judgment about corporate priorities and governance decision for those of companies.”⁹

Conclusion

Time will tell whether the FTC’s enforcement against Rellas personally is a rare step or a new norm for consent orders. In the meantime, CEOs should be aware of their company’s cybersecurity and data privacy policies and ensure the policies are in writing and adhered to by the company. Cybersecurity is a leadership responsibility and should be a priority issue at the C-suite level. As the FTC’s view of what counts as reasonable cybersecurity continues to take shape, companies should take note of frequently mentioned cybersecurity practices, like multifactor authentication and password hygiene.

If you have any questions, please contact a member of the Akin Gump cybersecurity, privacy and data protection team.

¹ The passwords were hashed using the bcrypt function or MD5, the latter of which the FTC stated was “cryptographically broken” and “widely considered insecure.” Complaint, Drizly, LLC, a Limited Liability Company, and James Cory Rellas, individually, and as an officer of Drizly, LLC., FTC File No. 2023185, 2 (Oct. 24, 2022) (complaint), https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-Complaint.pdf.

² GitHub is an open source internet hosting service for software development, enabling developers to store and share project files.

³ Id. at 4.

⁴ In fact, “Drizly only learned of the breach from media and social media reports describing its customers’ accounts for sale on dark web forums.” Id. at 5.

⁵ Id. at 3–4.

⁶ Id. at 5. Additionally, Drizly is now a subsidiary of Uber. Kate Conger, Uber buys Drizly, an alcohol delivery service, for $1.2 billion, N.Y. TIMES (Feb. 2, 2021), https://www.nytimes.com/2021/02/02/business/uber-buys-drizly.html.

⁷ Complaint, FTC File No. 2023185, at 5.

⁸ Statement of Chair Lina M. Khan Joined by Commissioner Alvaro M. Bedoya, Drizly, LLC, a Limited Liability Company, and James Cory Rellas, individually, and as an officer of Drizly, LLC., FTC File No. 2023185, (Oct. 24, 2022) (public statement), https://www.ftc.gov/system/files/ftc_gov/pdf/Statement-of-Chair-Lina-M.-Khan-Joined-By-Commissioner-Alvaro-M.-Bedoya-re-Drizly-final.pdf.

⁹ Concurring and Dissenting Statement of Commissioner Christine S. Wilson, Drizly, LLC, a Limited Liability Company, and James Cory Rellas, individually, and as an officer of Drizly, LLC., FTC File No. 2023185, (Oct. 24, 2022) (public statement), https://www.ftc.gov/system/files/ftc_gov/pdf/2023185WilsonDrizlyStatement.pdf.