Security failures that led to the theft of 2.5 million consumers’ information from online liquor store Drizly have led to enforcement action by the Federal Trade Commission. But the detail of the action makes this more than just another enforcement story.
What makes this stand out is that the charges have been laid not just against the business, but against its CEO James Rellas personally. And this means he will have to abide by the terms of the consent order even if he leaves and takes another job.
Eyebrow-raising
The detail is picked up and discussed in some depth by industry expert Matt Kelly, the editor and CEO of RadicalCompliance.com, and the piece makes for a fascinating read. Detail of the security lapses is set out in the FTC complaint, detail which in itself is eyebrow-raising.
Drizly used Amazon Web Services and Github to operate. Employees were required to use their personal Github accounts to access corporate data. But Drizly did not require them to use complex passwords or multi-factor authentication.
In April 2018, the company gave one of its executives access to its Github respositories to enable participation in a one-day hackathon. He used a seven-character password he also used for a number of other accounts. In July 2020, a hacker accessed the executive’s personal Github account, was able to jump to Drizly’s corporate account and get hold of credentials to access its AWS data.
Dark web
That data contained personal information on 2.5 million customers, which was put on to the dark web. Drizly remained unaware of the breach until reports of its customers’ accounts being sold on the dark web surfaced.
Drizly, Rellas and the FTC have agreed the terms of a consent order that includes remediation measures with neither party admitting or denying any of the allegations. But, says Kelly, “What’s most interesting is that those remediation steps (and others) apply to both Drizly as a corporation and to Rellas personally — so that even if he leaves Drizly and takes another job elsewhere, Rellas will need to do the same at his new employer.”
Astonishing
The wording in the order says clearly that “the Commission’s proposed order will follow Rellas even if he leaves Drizly”. Kelly observes: “Never have I heard of a civil enforcement action like this, one that requires reforms to business operations, apply to an executive personally as he transits through his career. It’s astonishing.”
Christine Wilson, the Republican FTC commissioner, went as far as to issue a statement opposing the terms set for Rellas personally. But the FTC’s approach was summarized by chairman Lena Khan. She said: “Holding individual executives accountable, as we also do here, can further ensure that firms and the officers that run them are better incentivized to meet their legal obligations.”