The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.
According to the FTC, Drizly stored a variety of personal information in its production database. Included in that information were 2.5 million consumers’ passwords hashed using bcrypt encryption, which as the FTC stated was “widely considered insecure.” The FTC also indicated in its complaint that the company had not hired anyone to run its information security program. In the context of these findings, the FTC took issue with Drizly’s privacy policy which stated, conversely, that “All information we collect is securely stored within our database, and we use standard, industry-wide, commercially reasonable security practices such as 128-bit encryption, firewalls and SSL (Secure Socket Layers).”
As the FTC complaint contends, the security problems began when Drizly hosted a coding competition. As part of the competition, it gave one of its executives access to its GitHub platform, which contained not only source code to support the company site, but also credentials to its production database. After the competition ended, those credentials were not revoked, even though they were meant to be temporary, and the executive ultimately left the company. The credentials were stolen in an unrelated breach and used by the threat actor to access the production database and exfiltrate the consumers’ information. Drizly did not discover the exfiltration, and instead learned only through media reports that customers’ accounts were being sold on dark web forums. According to the FTC, the company conducted a post-breach analysis which determined that the incident occurred because the company did not have in place a formal security program or hygiene practice.
The FTC alleged in the complaint that Drizly’s lack of sufficient security practices coupled with the statements in its privacy policy were both unfair and deceptive in violation of the FTC Act. Among other things, the FTC pointed to the fact that another employee’s access to the production database was compromised in a similar fashion on GitHub, which resulted in a threat actor using Drizly’s servers to mine cryptocurrency.
The FTC said that Drizly could have likely prevented the 2020 breach by requiring regular review of access permissions, multifactor authentication for all employees with access to code repositories, and scanning of code repositories for unsecured credentials. The FTC order was directed against both the company and its CEO, a co-founder and active in all parts of its management. (One commissioner disagreed with finding him personally responsible.) If the order is made final by the FTC, Drizly and the CEO will be required to:
- Destroy unnecessary consumer personal information;
- Publicly post a retention schedule for personal information;
- Limit the future collection of personal information;
- Implement a comprehensive data security program that includes:
- multi-factor authentication for databases with consumer data;
vulnerability testing of the network and applications every four months;
penetration testing the business’s network and applications every twelve months; and
- multi-factor authentication for databases with consumer data;
- Conduct biennial security assessments for the next twenty years
Putting it into practice. This case highlights several of the FTC’s expectations around a company’s security measures. These include having someone in charge of information security, having a formal information security program, utilizing multi-factor authentication, and taking action on any recommendations or remedial areas identified in a post-breach analysis. This case is also a reminder that here, as in many other cases, an FTC consent decree may be issued not just against the company, but its directors or owners as well.