According to the FTC announcement, Drizly should destroy unnecessary data and restrict future data collection and retention. Also, its CEO James Cory Rellas should adhere to specific data security requirements. FTC says the platform “failed to take steps to protect consumers’ data from hackers,” and the data of 2.5 million customers was exposed. “Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection noted.
FTC orders Drizly to tighten its security and remove unnecessary data
The Boston-based platform collects a tremendous amount of customer data, including emails, postal addresses, phone numbers, unique device identifiers, geolocation information, and data purchased from third parties. The data is all stored in the company’s AWS servers. FTC is now blaming Drizly for four issues. First, it failed to implement basic security measures like forcing employees to use two-factor authentication for GitHub or limiting employee access to personal data. The company also stored critical database information on an unsecured platform and neglected to monitor the network for security threats. Finally, it exposed customers to hackers and identity thieves, and that data went on sale on two different publicly accessible sites on the dark web. According to the FTC ruling, Drizly should now remove any data from customers that are unnecessary to keep, and it should also inform the Commission about the destroyed data. The next thing Drizly should do is to limit the amount of data it collects from customers, and it should clarify on its website what type of data it collects and why. Additionally, the company should implement an information security program to train employees about security measures.