FTC slaps down Drizly CEO after 2.4m user records stolen from 'careless' booze app biz
At least this'll give some ammo to CISOs dying for stronger IT defenses
Analysis Drizly CEO James Cory Rellas is in the firing line after his company exposed about 2.5 million customers' personal information in a computer security blunder.
The FTC, America's consumer watchdog, this week proposed sanctions against the Uber-owned booze-delivery app and its chief executive, with Rellas being told he'll have to implement strong protections for people's data wherever he works, now and in future.
An order [PDF] drafted by the watchdog "ensures the CEO faces consequences for the company's carelessness," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a statement. "CEOs who take shortcuts on security should take note."
The proposed crackdown also requires Drizly and Rellas to destroy any personal data the biz has retained that's not necessary for providing products or services to customers, and prevents the company from collecting this type of unnecessary customer information going forward.
Additionally, the company and its CEO must put better security controls in place, require employees to use multi-factor authentication, and provide security training for its employees. The FTC will decide to make the proposed order final after a 30-period in which the public can comment on the sanctions.
"We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us," a Drizly spokesperson told The Register.
'Rellas is responsible for this failure'
While the data snafu occurred in 2020, the FTC's complaint [PDF] against the biz stated the security failings date back to at least 2018, when a Drizly employee posted on GitHub login details for the company's Amazon cloud computing resources. This gave crooks access to Drizly's backend servers to mine cryptocurrency on the machines until the app maker changed its credentials.
According to the complaint, Drizly continued to fumble its IT defenses, and in 2020 these shortcomings led to a miscreant stealing a copy of its customer data.
An executive had been given access to the corporate GitHub account; this access was secured with a weak seven-character password and no multi-factor authentication, we're told. The intruder was able to log into the exec's GitHub account using a password obtained from an unrelated security breach – so it would seem the employee reused the password elsewhere, too – and find Drizly's Amazon cloud credentials in the private source code, and exfiltrate 2.4 million account records from a user database.
That database, according to the FTC, may have stored any or all of the following details, which would be most useful for identity thieves:
Names, email addresses, postal addresses, phone numbers, unique device identifiers, order histories, partial payment information, geolocation information, and consumer data (including, e.g., income level, marital status, gender, ethnicity, existence of children, and home value) purchased from third parties
Passwords were also hashed using bcrypt or MD5, the latter being worthless and crackable.
The FTC complaint singles out Rellas for this clusterfsck, stating the big cheese was "responsible for this failure, as he did not implement, or properly delegate the responsibility to implement, reasonable information security practices."
The regulator's Chair Lina Khan and Commissioner Alvaro Bedoya added [PDF] that Rellas "presided over Drizly's lax data security practices."
The sanctions will follow Rellas even if he moves on to a different organization. "In the modern economy, corporate executives sometimes bounce from company to company, notwithstanding blemishes on their track record," Khan and Bedoya noted.
For the next decade, Rellas will be required to implement an IT security program at any company that collects personal data from more than 25,000 people, and where he is a majority owner, CEO, or senior officer with infosec responsibilities.
The action is part of the watchdog agency's "aggressive efforts" to protect private data and ensure that "careless CEOs learn from their data security failures," according to the FTC's press release.
However, not everyone — and not even all of the regulator's commissioners — agrees that holding CEOs' feet to the fire is the right approach.
Despite the commission's 4-0 vote in favor of the sanctions, Commissioner Christine Wilson partially dissented, citing the order's inclusion of Rellas. "While I support the complaint against the corporate defendant, I do not support holding the individual defendant, Rellas, liable," she wrote [PDF]. "This broad standard effectively could enable the Commission to hold individually liable the CEOs of most companies against which we initiate enforcement action."
"By naming Rellas, the Commission has not put the market on notice that the FTC will use its resources to target lax data security practices," Wilson continued, later in her statement. "Instead, it has signaled that the agency will substitute its own judgment about corporate priorities and governance decisions for those of companies."
'Opening up Pandora's box'
Mauricio Sanchez, a research director who leads the network security research program at Dell'Oro Group, called the order, as it applies to Rellas' future companies "unprecedented."
"I'm afraid the FTC has opened up a Pandora's box without fully contemplating the long-term effects down the road," he told The Register.
"Moreover, it's not clear whether the FTC has a process for individuals to contest these sorts of personal decisions, since it looks like it will follow them for the rest of their lives."
Sanchez agreed that "egregious inaction on part of the CEO" led to the Drizly breach, but asked: "Do we really want a bureaucracy to be the judge, jury, and executioner on decisions that are so personal and long-term in nature?"
"I hope it pushes sloppy security CEOs out, but at the end of the day I don't think it's going to stop security breaches," he added.
Gerry Stegmaier, a partner with Reed Smith's tech and data group, said holding executives personally responsible for company behavior "has been a recent staple of Biden-appointed officials seeking to put pressure to drive greater corporate accountability — especially for tech companies, and particularly in boardrooms and the C-suite."
- Former Uber CSO convicted for covering up massive 2016 data theft
- Data tracking poses a 'national security risk' FTC told
- FTC sues data broker for selling millions of people's 'precise' location info
- Mozilla CSO demands fines to curb Big Tech surveillance
Still, he told The Register, he doesn't expect it to become the norm. However, it may discourage transparency and accountability when it comes to database security breaches.
"It is much harder to prosecute people individually for things they didn't know about," Stegmaier said. "Unusually, in many systems, increasing personal direct liability may interfere with actual improvements in security, privacy or comparable compliance goals."
While holding a chief executive accountable for a security breach is "a slippery slope," according to Brian Mannion, chief legal and data protection officer at Aware, the FTC action may mean additional power — or at least a bigger budget — for chief information security officers (CISOs).
"This enforcement action will certainly provide CISOs with more ammunition when trying to implement appropriate security controls," Mannion told The Register.
That's especially true if they don't want to follow in the footsteps of former Uber security chief Joe Sullivan. ®