Drizly has agreed to tighten its data security practices after federal regulators accused the alcohol delivery company and its CEO of security breaches related to a 2020 data breach that exposed the personal information of 2.5 million customers.
The Federal Trade Commission said Monday it has reached a proposed consent agreement with Drizly, a Boston-based subsidiary of Uber that offers delivery of beer, wine and other alcoholic beverages to consumers who are of legal drinking age. The FTC alleges that the company and its CEO, James Corey Relas, were warned of security problems two years before the 2020 hack, but failed to take steps to protect consumer data.
The proposed order limits the information the company can collect and store and requires Drizzly to implement a comprehensive data security program and destroy unnecessary data. The FTC said the proposed order would also require Relas to comply with certain data security requirements “for his role in managing the illegal business practices.”
“Our proposed order against Drizly not only limits what the company can retain and recover going forward, but also ensures that the CEO faces consequences for the company’s negligence,” Samuel Levin, director of the FTC’s Bureau of Consumer Protection, said in a statement. “CEOs using security shortcuts should take note.”
In 2020, Drizly confirmed that the hacker obtained some personal customer data, including emails, dates of birth, passwords and in some cases addresses.
“At Drizly, we take consumer privacy and security very seriously and are excited to put this 2020 event behind us,” a Drizly spokesperson said in a statement.
Uber bought Drizly for 1.1 billion dollars 2021 year.