Federal Trade Commission Bites Back After Drizly Data Breach
Table of Contents
- By Steven
- Published: Nov 03, 2022
- Last Updated: Nov 04, 2022
Drizly delivers wine, beer, spirits, and other liquors to adults over the drinking age. This helps to keep intoxicated drivers off the streets, making roads safer. As a result, it has been a much-used service. Drizly has over 100 million users between Canada and the US. In 2018, Drizly was allegedly notified of an easy way to compromise its systems and ignored the notification.
How Did the Attack Occur?
Drizly never released how the cyber attack occurred. According to the FTC, or Federal Trade Commission, in 2018, a Drizly executive was given login credentials. This certainly doesn’t sound abnormal, but here’s the crazy part; when the executive had access, the company underwent a hackathon. The hacker used Drizly’s servers to mine bitcoin, and the executive left the company soon after that. In 2020, malicious actors used that same executive’s login to institute the hack that affected millions.
What Information Was Viewed or Stolen?
The stolen information involved emails, hashed passwords, birthdays, and less than two percent of cases involved delivery addresses. The FTC’s order proposes that Drizly delete all data it has on customers that is not completely necessary for its business to run.
What Did Drizly Do After the Breach?
After the breach, Drizly agreed to a settlement of about 2 million dollars. Since then, Drizly claims to have beefed up its security and hasn’t suffered another data breach to date. That won’t stop the order, in which the FTC targets Drizly CEO James Cory Rellas directly, holding him responsible for the violation. “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said. “CEOs who take shortcuts on security should take note.”
What Will Become of the Stolen Information?
The hacker doesn’t seem able to do much with the stolen information. While two percent of 2.5 million is 50,000, there could have been much more damage regarding customer addresses. Simply having the accounts’ associated emails poses enough danger; having your home address in the hands of a hacker is terrifying.
What Should Affected Parties Do in the Aftermath of the Breach?
In the aftermath of the breach, affected individuals should consider visiting the FTC website to find out more about the breach and the FTC’s order. You can also look at places like CNN and JD Supra that are keeping up with the updates to the FTC order and the aftershocks of the breach. And, of course, as always, you should take as many steps as possible to protect yourself, your devices, and your loved ones. There is software made for this express purpose; looking around your device and helping to ensure that you don’t have any personal information anywhere unauthorized. Even if you weren’t involved in the breach, you should still do your best to stay safe.