The Drizly data breach is a hot topic because it exposed 2.5 million customers’ personal information. Drizly, an Uber subsidiary, provides online alcohol delivery and stores its data on GitHub and Amazon Relational Database (ARD).
However, the Federal Trade Commission (FTC) found several critical flaws in Drizly’s privacy protection. These failures included failing to develop adequate security standards, policies, procedures, or practices, assessing or enforcing any control mechanisms mentioned above, and securely storing login credentials for database access.
Furthermore, there was no password protection or two-factor authentication to ensure that those attempting to gain access were who they said they were. An executive who participated in a hackathon in 2018 and was given full access to the GitHub repositories for a one-day event enabled the breach.
The company forgot to revoke his access after the hackathon ended. He used a seven-character password with no special characters that he shared and opted out of two-factor authentication.
The hacker changed the company’s ARD security settings using information stolen from GitHub, giving him access to the production environment and the confidential information of 2.5 million customers.
Drizly only discovered the hack after some customers began posting on social media. This data breach is an example of a monumental cybersecurity failure and highlights the need for proper cybersecurity standards, policies, procedures, and practices to protect customer’s private information.
What Happened?
The organization’s cybersecurity measures, policies, and procedures were insufficient. The deficiency comprised assessment or enforcement of the standards, lack of secure storage of login credentials, and inadequate password protection measures necessitating using lengthy and complex passwords.
The lack of mechanisms to supervise staff access to confidential data, absence of limitations on access to data for employees who don’t need it, no two-factor authentication, and failure to track IP addresses were all crucial deficiencies in safeguarding privacy. Furthermore, there was no digital tracking of data transfer outside the company servers and no record of external hacking efforts.
In July 2020, a security violation took place, resulting in the exposure of private data belonging to 2.5 million customers. The cause of the breach was linked to a former executive who participated in a hackathon in 2018. During the event, this individual was granted complete access to the company’s GitHub repositories, but the access was not revoked once the hackathon concluded.
The executive used a password of seven characters without any special characters or two-factor authentication, which was shared amongst others. As a result, a hacker could gain entry into Drizly’s GitHub source code and ARD repositories using the executive’s password. The hacker manipulated the company’s ARD security settings, permitting them access to its production environment and jeopardizing the confidential information of 2.5 million customers.
Drizly did not know about this hack because of the lack of logging of unauthorized access, and they only found out about it when some of the compromised customers started posting about their accounts on social media. Drizly had been hacked at least three times, including the accidental posting of the company’s AWS credentials into a personal and public GitHub account, which resulted in using Drizly’s servers for mining cryptocurrencies.
Legal Actions
In response to this data breach that led to the exposure of personal information belonging to 2.5 million users, the Federal Trade Commission (FTC) took legal action against Drizly and its CEO, James Cory Rellas, in October 2022. According to the FTC, Drizly and Rellas failed to protect users’ data appropriately, which made them vulnerable to being exploited by hackers. As part of the proposed settlement, Drizly and Rellas must implement comprehensive data security measures to prevent future breaches, notify affected users, and provide free credit monitoring services.
Additionally, an independent third-party auditor would assess Drizly’s data security practices every two years for the next 20 years. Apart from the proposed settlement, the FTC also filed a complaint against Drizly and Rellas in federal court, alleging that they engaged in deceptive and unfair practices by falsely representing the strength of their data security measures to users.
The FTC seeks monetary relief and a permanent injunction against Drizly and Rellas to prevent similar conduct in the future. The legal actions taken by the FTC against Drizly and Rellas underscore the potential ramifications of failing to protect users’ data adequately. The proposed settlement seeks to ensure that Drizly takes the necessary steps to prevent future breaches and safeguard users’ information by implementing comprehensive information security measures and regular assessments from an independent auditor.
The Aftermath
After experiencing this data breach, Drizly has undertaken various measures to enhance its security measures and ensure the safety of its customers’ data. Drizly has introduced two-factor authentication for all user accounts, strengthened password complexity requirements, and enforced extra security protocols for its database.
Moreover, Drizly has extended free credit monitoring and identity theft protection services to affected customers. Additionally, the company has developed a webpage (alcoholdeliverydatabreach.com) where users can acquire more information about the breach and ways to safeguard their privacy.
Conclusion
The Drizly data breach is a reminder that even well-known companies can fall victim to cyber-attacks. It’s essential to protect your personal information online and take steps to minimize identity theft risk. If you are a Drizly customer, follow the company’s recommended actions and stay informed about any updates related to the breach.
References
- The Corporate Hitman, Drizly got hacked & our private info was sold on the dark web | Evil Business of Drizly, Youtube, February 2022. Retrieved from Drizly got hacked & our private info was sold on the dark web | Evil Business of Drizly
- Alcohol Delivery Data Breach, alcoholdeliverydatabreach.com. Retrieved from: Drizly
- FTC Takes Action Against Drizly, its CEO James Cory Rellas for Security Failures that Exposed the data of 25 Million, FTC, October 2022. Retrieved from FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
- Online liquor delivery company Drizly settles with US FTC over data breach, Reuters, October 2022. Retrieved from Online liquor delivery company Drizly settles with U.S. FTC over data breach | Reuters
I am a passionate beer connoisseur with a deep appreciation for the art and science of brewing. With years of experience tasting and evaluating various beers, I love to share my opinions and insights with others and I am always eager to engage in lively discussions about my favorite beverage.
