The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.
As the FTC complaint contends, the security problems began when Drizly hosted a coding competition. As part of the competition, it gave one of its executives access to its GitHub platform, which contained not only source code to support the company site, but also credentials to its production database. After the competition ended, those credentials were not revoked, even though they were meant to be temporary, and the executive ultimately left the company. The credentials were stolen in an unrelated breach and used by the threat actor to access the production database and exfiltrate the consumers’ information. Drizly did not discover the exfiltration, and instead learned only through media reports that customers’ accounts were being sold on dark web forums. According to the FTC, the company conducted a post-breach analysis which determined that the incident occurred because the company did not have in place a formal security program or hygiene practice.
The FTC said that Drizly could have likely prevented the 2020 breach by requiring regular review of access permissions, multifactor authentication for all employees with access to code repositories, and scanning of code repositories for unsecured credentials. The FTC order was directed against both the company and its CEO, a co-founder and active in all parts of its management. (One commissioner disagreed with finding him personally responsible.) If the order is made final by the FTC, Drizly and the CEO will be required to:
- Destroy unnecessary consumer personal information;
- Publicly post a retention schedule for personal information;
- Limit the future collection of personal information;
- Implement a comprehensive data security program that includes:
- multi-factor authentication for databases with consumer data;vulnerability testing of the network and applications every four months;penetration testing the business’s network and applications every twelve months; and
- Conduct biennial security assessments for the next twenty years
Putting it into practice. This case highlights several of the FTC’s expectations around a company’s security measures. These include having someone in charge of information security, having a formal information security program, utilizing multi-factor authentication, and taking action on any recommendations or remedial areas identified in a post-breach analysis. This case is also a reminder that here, as in many other cases, an FTC consent decree may be issued not just against the company, but its directors or owners as well.