Top Executives Increasingly Held Rsponsible for Company Cybersecurity
The chief executive of online alcohol marketplace Drizly is set to come under a decade-long government mandate requiring him to personally ensure any company he leads has a cybersecurity program.
The mandate is part of a proposed settlement agreement between the U.S. Federal Trade Commission, the company and CEO James Rellas after hackers stole the data of 2.5 million customers in July 2020. The settlement received unanimous approval from the agency’s four sitting commissioners.
The stolen data set included names, email and physical addresses, partial payment information and data used for marketing including income level, martial status and home value. Also included were user passwords hashed with the MD5 algorithm. The data set appears available for download on data breach forums.
“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a company spokesperson told Information Security Media Group.
Drizly bills itself as the “largest online marketplace for alcohol” in North America. The FTC says its data breach can be traced to a failure by Rellas to ensure proper information security practices at the company. Ride-hailing app company Uber bought Drizly for $1.1 billion October 2021.
“Rellas hired senior executives dedicated to finance, legal, marketing, retail, human resources, product, and analytics, but failed to hire a senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly,” the agency says in a complaint.
The settlement agreement – it is formally subject to a second round of voting by FTC commissioners after a 30 day period for public comment – comes as Democratic commissioners have pushed the agency to hold executives directly liable for the actions of their companies. Their advocacy intensified after the agency’s 2019 settlement with Facebook that ended an investigation into the social media giant’s treatment of user privacy – a settlement they criticized for treating CEO Mark Zuckerberg with kid gloves. The Monday settlement also comes just weeks after a federal jury found Joe Sullivan guilty of personally covering up a data breach at Uber while he was the chief security officer (see: Implications for CSOs of Charges Against Joe Sullivan).
“CEOs who take shortcuts on security should take note,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in a statement.
At the time of the breach, Drizly sought to reassure customers by emphasizing that it kept user passwords stored in hashed form. The FTC complaint dents those reassurances by revealing that the hashing was done with MD5, an algorithm the Software Engineering Institute in 2008 declared “cryptographically broken and unsuitable for further use” for its vulnerability to collision attacks.
The root cause of the breach was a key to the company’s Amazon Relational Database Service account stored inside code repository GitHub. The code repository wasn’t on the open web, but a hacker found a way inside by using the logon credential of a company executive whose password was compromised in an unrelated data breach.
The executive didn’t need daily access to GitHub, but the company in April 2018 granted him access so he could participate in a one-day hackathon. The password the executive chose was a seven character alphanumeric that he also used for personal accounts.
The data breach wasn’t the first time Drizly had a run in with hackers. Another employee in 2018 posted company Amazon Web Service credentials to a personal GitHub repository that was exposed to the open internet. A hacker found it and used Drizly’s cloud accounts to mine cryptocurrency.
The settlement requires Drizly to delete personal information not being actively used to provide customers with service and to minimize its data collection to specific business needs.
It puts the company under a two decade commitment to phishing-resistant multifactor authentication before employees access customer data. Customers must have it as an option. The company must also follow a written information security policy and annually test its safeguards.
Should he leave Drizly for another senior company position within the next decade, Rellas will have to ensure that within 180 days of his start date, his new company has a comprehensive information security program. Whoever is CEO at Drizly, that person will have to certify to the FTC each year for the next 20 years that the order is being carried out.