We’ve all been there—you want to get totally sloshed but you don’t have the energy to get off the couch (we’ve all been there, right guys? right??). Well, the solution, thanks to modern technology, is to order alcohol straight to your apartment like some sort of debauched sloth. Yes, dear friends, there is an app for that—and it’s in a bit of trouble right now.
The booze delivery company Drizly is currently under fire from the Federal Trade Commission over a series of cybersecurity blunders that left the personal information of 2.5 million users at the mercy of hackers two years ago. Drizly, which offers an app-based alcohol delivery service, is basically Uber Eats but for liquor. This makes sense because, like Uber Eats, Drizly is also owned by Uber. The global ride-share giant purchased the company last October, in an apparent bid to expand the product base it could deliver to lazy middle class consumers via its army of underpaid gig-workers.
Using age verification mechanisms, Drizly allows age-21+ mobile users to expedite beer, wine, hard seltzers, and any other booze of their choosing from local retailers straight to their homes. And while that might sound like the makings of a fun night, unfortunately, the company is currently facing a federal law enforcement action that isn’t so fun: in a complaint filed by the FTC Monday, officials accused the company and its CEO, James Cory Rellas, of grievous security failures that ultimately led to the compromise of millions of app users’ data.
According to the complaint, Rellas and the company implemented a largely non-existent security policy that led rather predictably to disaster. In Drizly’s early years, Rellas hired a slew of executives to grow the firm but ultimately failed to hire a chief information security officer, who would have been responsible for looking after user data. Among other bungles, Drizly also used a cryptographically broken and thus insecure hash function, MD5, to obscure user passwords, failed to limit employee access to user data, didn’t monitor its network for security threats, didn’t develop security procedures, and didn’t train employees on how to look out for bad actors. To top it all off, Drizly stored important database information on an unsecured platform. The insecure data was ultimately used by cybercriminals to hack into the company’s environment and use Drizly’s servers to mine cryptocurrency. In 2020, meanwhile, a cybercriminal managed to sneak past Drizly’s defenseless perimeter to steal personal information on 2.5 million app users.
The complaint makes it clear that this is all not okay:
These failures allowed a malicious actor to access Drizly’s consumer database and steal information relating to 2.5 million consumers... Rellas is responsible for this failure, as he did not implement, or properly delegate the responsibility to implement, reasonable information security practices...
The company said in a statement, “We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us.”
Drizly’s parent company has encountered dire cybersecurity woes this year as well. Uber’s former chief information officer Joe Sullivan was convicted of obstruction of justice earlier this month, and the company suffered a severe data breach in September that it’s still in the process of cleaning up.
As stipulated by the complaint, Drizly and Rellas are now required to delete all user data that is “not necessary for it to provide products or services to consumers.” Going forward, the company will also be forced to limit the amount of data it collects on users, in an effort to avoid future leakage. At the same time, the FTC has mandated that Drizly put into action a real data security plan, one that will “protect against the [kinds of] security incidents” that are outlined in the complaint.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in the agency’s press release. “CEOs who take shortcuts on security should take note.”