The Federal Trade Commission has thrown down the gauntlet on data privacy, taking action against a CEO for his company’s failures.
According to the FTC, alcohol marketplace Drizly was notified of security issues at least two years prior to a data breach but failed to take any action to address the problems.
The problems stemmed from an initial 2018 incident that alerted the company to the issues. The company claimed to address the problem but took little to no action to actually do so, leaving the company open to an even bigger breach two years later.
In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account. Drizly failed to take steps to adequately address its security problems while publicly claiming to have appropriate security protections in place. Two years later, a hacker breached an employee account, got access to Drizly’s corporate GitHub login information, hacked into the company’s database, and then stole customers’ information.
As a result, the FTC is holding Drizly and CEO James Cory Rellas responsible, imposing a range of restrictions on the company.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”
Companies should take note of the Drizly case as it sends a clear message that the FTC is cracking down on companies, and their executives, for negligent data breaches.