FTC Takes Action Against Drizly, CEO Following 2020 Data Breach

Drizly

The Federal Trade Commission (FTC) is taking action against both online alcohol marketplace Drizly and its CEO, James Cory Rellas, pointing to allegations that they were alerted to data security problems but failed to improve the company’s procedures before a data breach took place two years later in 2020.

The data breach exposed the personal information of 2.5 million customers of Drizly, which is a subsidiary of Uber, the FTC said Monday (Oct. 24) in a press release.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” FTC Bureau of Consumer Protection Director Samuel Levine said in the release. “CEOs who take shortcuts on security should take note.”

A Drizly spokesperson told PYMNTS via email: “We take consumer privacy and security very seriously at Drizly and are happy to put this 2020 event behind us.”

Drizly and Rellas were alerted to the company’s data security problems in 2018 when hackers took advantage of a security breakdown and used its servers to mine for cryptocurrency until the company changed its login information. Two years later — after Drizly failed to adequately address its security problems — a hacker stole customers’ information, the release stated, citing the FTC’s complaint.

Under the proposed FTC order, Drizly and Rellas are required to destroy unnecessary data, limit future data collection, and implement an information security program, according to the release.

“Notably, the order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO,” FTC said in the release, noting that the proposed order will follow Rellas if he leaves Drizly.

In April, FTC Chair Lina Khan said it is time for the agency to “reassess” rules around what data companies can collect from consumers, calling for a new approach to consumer data protection to replace companies’ privacy policies on collection and use of consumer data.