Fascinating enforcement action from the Federal Trade Commission this week, which brought charges of poor cybersecurity practices against an online liquor store and its CEO personally — who will need to abide by the terms of the consent order even if he leaves the company and takes another job elsewhere!
The company is Drizly.com, which sells and delivers beer, wine, and liquor to consumers. The FTC proposed an enforcement action against Drizly earlier this week, for sloppy cybersecurity practices that allowed an attacker to penetrate Drizly’s defenses in 2020 and abscond with the personal information of some 2.5 million consumers. The complaint also named James Rellas, co-founder of Drizly and CEO since 2018, as co-defendant personally.
The enforcement action will now be out for public comment for several weeks before the FTC takes a final vote to impose the action. Drizly and Rellas did both agree to a consent order outlining a slew of cybersecurity improvements they need to make. Beyond that, there were no monetary penalties and neither party admits nor denies any of the FTC allegations. Also, Drizly was acquired by Uber last year, although the company still operates as an independent subsidiary today.
Let’s start with the actual data breach and the gaps in Drizly’s security practices that allowed the breach to happen. As outlined in the FTC complaint, at the time of the breach, Drizly relied on two cloud-based platforms to operate: Amazon Web Services to host its production databases, and GitHub to manage the development of source code for its website and mobile app. Drizly required employees to use their personal GitHub accounts to access its corporate data — a point that will figure prominently in this story, I promise.
In April 2018, Drizly granted a company executive access to its GitHub repositories so that he could participate in a one-day hackathon. Except, Drizly never terminated the executive’s access after that hackathon. Nor did Drizly require complex passwords or multi-factor authentication for employees to access its GitHub data. So when that executive was granted access to the Drizly GitHub account, he only used a seven-character password that he had used for other personal accounts.
In July 2020, an attacker gained access to the executive’s personal GitHub account by reusing credentials from an unrelated breach. From there, the attacker jumped to Drizly’s corporate GitHub account, which contained the credentials to access Drizly’s Amazon Web Services data.
The AWS database contained the personal data of those 2.5 million consumers, which the attacker promptly exfiltrated to the dark web. Drizly didn’t even learn about the breach until media reports surfaced, describing its customers’ accounts for sale on dark web forums.
Security Control Failures
So what did Drizly do wrong? The FTC offered a litany of failures that it said left consumer data in jeopardy:
- Not requiring unique and complex passwords, such as long passwords not used by the employee for any other online service;
- Not implementing multi-factor authentication to access source code or databases;
- Failing to monitor and terminate employee access to source code once they no longer needed such access (which would have prevented the breach described above);
- Failing to monitor for unauthorized attempts to transfer or exfiltrate consumers’ personal information outside the company’s network boundaries;
- Failing to test or audit applications’ security features on a regular basis;
- Lacking policies and procedures to inventory and delete customer data that’s no longer necessary for corporate operations.
None of those shortcomings are particularly new in cybersecurity land. For example, regulators have talked extensively about the need for multi-factor authentication, specifically when accessing confidential data from off-site networks. They’ve also talked about the need for “data minimization” policies. (That came up as recently as last week, in New York regulators’ cybersecurity enforcement action against EyeMed.) As to storing important log-in credentials on GitHub, the FTC faulted Uber for that mistake in 2018 and even GitHub itself warns companies not to do it. Drizly did.
The challenge, I think, is how high-growth startups can embrace all those security practices while they’re growing so quickly. It’s a security-first mindset that depends on strong support from executive management, and such focus can be difficult when you are (1) a startup company; and (2) growing like weeds.
Enforcement Against Rellas
So Drizly and Rellas agreed to a consent order that requires them to implement a strong security program. Again, the remediation steps they need to implement are nothing we haven’t heard before:
- Regular security risk assessments, and additional assessments immediately following any significant security incidents;
- Annual testing of security controls, plus additional tests within 30 days of a significant security incident;
- Multi-factor authentication required for all employees and contractors, although those MFA protocols “shall not include telephone or SMS-based authentication methods and must be resistant to phishing attacks,” which is interesting;
- A written information security policy;
- Better security training for employees;
- Comprehensive security assessments performed by a qualified, independent third party every other year.
What’s most interesting is that those remediation steps (and others) apply to both Drizly as a corporation and to Rellas personally — so that even if he leaves Drizly and takes another job elsewhere, Rellas will need to do the same at his new employer. Quoting directly from the FTC statement:
The order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO. In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.
Never have I heard of a civil enforcement action like this, one that requires reforms to business operations, apply to an executive personally as he transits through his career. It’s astonishing.
Republican FTC commissioner Christine Wilson released a statement opposing the order against Rellas personally. Naming Rellas personally doesn’t change the obligations Drizly will have to improve data protection, she said, and it’s not entirely clear how much responsibility Rellas had for the original failures.
“The number of issues crossing a CEO’s desk on any given day is substantial,” Wilson said. “In most large companies, I would expect CEOs to have little to no involvement with, and no direct knowledge of, practices that are the subject of an FTC investigation.”
That’s fair, but Drizly has only around 350 employees to this day; it’s not a large company. Plus, another school of thought is that CEOs are responsible for hiring good people who can handle the ethics, compliance, and governance obligations of running a business. Drizly’s security practices were a mess, and even if Rellas wasn’t responsible for them, he was responsible for hiring the people who were.
I’d pay more attention to the statement from FTC chairman Lena Khan, whose enforcement ideas are ambitious: “Holding individual executives accountable, as we also do here, can further ensure that firms and the officers that run them are better incentivized to meet their legal obligations.”
Perhaps we’ll see how true that is if Rellas gets a new job.