FTC Enforcement Action Against Company and CEO Provides Roadmap for Reasonable Data Security Measures

By: Kathie McDonald-McClure

On October 24, 2022, the Federal Trade Commission (FTC) announced enforcement action against Drizly, an online alcohol marketplace and subsidiary of Uber, and the Drizly CEO, over allegations that Drizly and the CEO failed to implement safeguards to prevent unauthorized access to consumer data stored on the Amazon Relational Database Service (Amazon RDS) that Drizly used to host its online marketplace platform. The FTC said that Drizly and its CEO were alerted to a security issue two years before the breach yet failed to take appropriate responsive action to secure personal information of consumers stored on Drizly’s Amazon RDS.

Employee posted company account login information on GitHub contributing to 2018 and 2020 security breaches. In 2018, a Drizly employee posted company cloud computing account login information on GitHub. GitHub is a free, online software development and hosting platform used for storing, tracking and collaborating on software projects. Drizly uses GitHub not only to manage and support its e-commerce website, but also to store spreadsheets, data sets, and repositories of past company data and projects.

The GitHub repositories included the AWS credentials used to access Drizly’s production environment. This security lapse allowed hackers to use Drizly’s servers to mine cryptocurrency in 2018. Upon discovering this, Drizly changed the login information for its cloud computing account and publicly claimed that it used adequate data security protections. Its website privacy policy stated: “We use standard security practices such as encryption and firewalls to protect the information we collect from you.”

Company employee is allowed access to GitHub repositories for a hackathon, using compromised credentials. According to the FTC complaint, in 2020 the company granted a company executive access to the GitHub repositories in order to participate in a one-day hackathon. The company failed to terminate the executive’s access after the event was over. At the time of granting such access, Drizly had not required unique and complex passwords nor multifactor authentication for access to the GitHub repositories. As a result, the executive had used a seven-character, alphanumeric password that he had used for other personal accounts and that was the subject of an unrelated data breach. The hacker used the executive’s compromised password to gain access to his GitHub account and to then access the company’s AWS and database credentials stored in the repositories. Ultimately, the hacker located the customer information stored on the company databases and put the information up for sale on two publicly available websites on the dark web.

Large volume of nonpublic, personal information was accessed by hacker. The FTC said Drizly’s security failures led to a breach of the personal information of about 2.5 million consumers. The personal information includes data collected from consumers who visited or placed e-commerce orders on the platform, such as name, age, email address, postal address, phone numbers, unique device identifiers, order histories, partial payment information, geolocation information, as well as personal information automatically collected from consumer computers and mobile devices by the website’s data collection tools.

In addition, the personal information included consumer data that Drizly purchased from third parties such as income level, marital status, gender, ethnicity, existence of children, and home value. The Drizly databases also contained consumer account passwords that were hashed using MD5 which the FTC said is “cryptographically broken and widely considered insecure.”

The FTC complaint provides a roadmap for minimum reasonable data security measures. The FTC complaint alleges that Drizly failed to implement “reasonable information security practices” to protect consumers’ personal information. These reasonable security practices include:

1. Implementing written information security policies and procedures, including employee training (including for engineers) and assessment of compliance with such written security practices.
2. Securely storing login credentials and ensuring such credentials are not stored on an open source software development platform such as GitHub.
3. Imposing reasonable user access controls such as:
   • Requiring unique and complex passwords (i.e., long passwords not used by the individual for any other online service) and, ideally, multi-factor authentication
   • Enforcing role-based access controls
   • Monitoring and terminating unnecessary access of employees and contractors to confidential data
   • Restricting inbound connections to known IP addresses
   • Requiring appropriate authentications between company applications and its production environment
4. Continually logging and monitoring for suspicious network activity including unauthorized access to the network and attempts to transfer or exfiltrate personal information outside of the network.
5. Performing regular data security assessments, including:
   • Testing, assessing and reviewing security features of software products and applications
   • Conducting regular risk assessment, vulnerability scans, and penetration testing of the network and databases that store personal information
6. Taking inventory of personal information and regularly deleting unneeded personal information.

FTC Act Section 5 violation. The FTC’s complaint alleges that the inadequate security measures of Drizly and its CEO constituted an unfair and deceptive act or practice under Section 5(a) of the Federal Trade Act. More specifically, the FTC alleged that the company’s failure to implement reasonable security measures to protect the personal information on its network caused or was likely to cause substantial harm to consumers, and that this constituted an “unfair information security practice.” Additionally, the FTC alleged that the company’s Privacy Policy representation that it used appropriate safeguards to protect consumers’ personal information constituted a “deceptive security statement.” Finally, the FTC took the unusual step of including the company’s CEO as an individual defendant on its complaint.

Looking for assistance with your company’s data security policies? We work with clients and their IT team in the preparation and updating of data security policies and procedures.  As illustrated by this FTC enforcement action, these policies are essential in today’s cyber threats environment to meet legal and regulatory expectations, as well as contractual, cyber insurance underwriting, consumers, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit Data Privacy and Cyber Security.

Kathie McDonald-McClure

Kathie McDonald-McClure leads the Firm’s Data Privacy & Cyber Security practice and is a member of the Health Care Service Team. Her longtime passion for and attention to technology-related matters has given her a leg-up in assisting clients with regard to data privacy and cyber security. She regularly advises businesses and business managers on compliance with HIPAA, FERPA, GLBA, GDPR, and state data privacy and breach reporting laws. Read more.