The data breach exposed the personal information of 2.5 million customers of Drizly, which is a subsidiary of Uber, the FTC said Monday (Oct. 24) in a press release.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” FTC Bureau of Consumer Protection Director Samuel Levine said in the release. “CEOs who take shortcuts on security should take note.”
A Drizly spokesperson told PYMNTS via email: “We take consumer privacy and security very seriously at Drizly and are happy to put this 2020 event behind us.”
Drizly and Rellas were alerted to the company’s data security problems in 2018 when hackers took advantage of a security breakdown and used its servers to mine for cryptocurrency until the company changed its login information. Two years later — after Drizly failed to adequately address its security problems — a hacker stole customers’ information, the release stated, citing the FTC’s complaint.
Under the proposed FTC order, Drizly and Rellas are required to destroy unnecessary data, limit future data collection, and implement an information security program, according to the release.
Advertisement: Scroll to Continue
“Notably, the order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO,” FTC said in the release, noting that the proposed order will follow Rellas if he leaves Drizly.
In April, FTC Chair Lina Khan said it is time for the agency to “reassess” rules around what data companies can collect from consumers, calling for a new approach to consumer data protection to replace companies’ privacy policies on collection and use of consumer data.
