Drizly CEO named in security order following 2020 data breach

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

Drizly data breach overview: 

• Who: The Federal Trade Commission (FTC) seeks to punish online alcohol marketplace Drizly and its CEO James Cory Rellas for a data breach with a unique settlement order.
• Why: The proposed order is unique because the FTC wants the settlement requirements to follow Rellas even if he moves to a new company.
• Where: The proposed settlement is before the U.S. Federal Trade Commission.

The Federal Trade Commission (FTC) wants to secure a unique settlement with Drizly over a 2020 data breach. The unique part is that the settlement terms follow CEO James Cory Rellas even if he moves to another company.

On Oct. 24, the FTC announced it was taking action against the online alcohol marketplace and its CEO over allegations the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers in 2020. 

The FTC alleges that Drizly and Rellas discovered security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers. 

The FTC’s proposed order requires the company to destroy unnecessary data, restricts the data that the company can collect and retain and binds Rellas to specific data security requirements for his role in presiding over unlawful business practices.

“In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record,” the FTC says in a statement. “Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.”

Drizly knew about security breach prior to hack, FTC alleges

According to the FTC’s complaint, in 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. 

As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information. 

Two years later, a hacker breached an employee account, received access to Drizly’s corporate GitHub login information, hacked into the company’s database and then stole customers’ information.

“Drizly failed to take steps to adequately address its security problems while publicly claiming to have appropriate security protections in place,” the FTC says.

The proposed order against Drizly and Rellas also requires the company to destroy unnecessary data, limit future data collection and implement an information security program. 

The FTC voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with Drizly and Rellas. Commissioner Christine Wilson voted yes but dissented in part as to the inclusion of Rellas as an individual defendant. 

The agreement will be subject to public comment for 30 days, after which the FTC will decide whether to finalize it. 

Consumers whose personal information may have been affected by the Drizly data breach were compensated last year following a $7.1 million class action settlement.

What do you think of the FTC’s actions following the Drizly data breach? Let us know in the comments! 

Read About More Class Action Lawsuits & Class Action Settlements:

• Advocate Aurora data breach exposes personal data of up to 3 million patients
• Banks, retailers, tech companies allegedly collect voiceprints, other biometric data
• Judge approves nonmonetary Facebook settlement over Android data scraping
• Green Dot unsolicited text message ads $3.3M class action settlement