Analysis Drizly CEO James Cory Rellas is in the crosshairs after his company exposed the personal information of around 2.5 million customers in a computer security error.
The FTC, the US consumer watchdog, this week proposed sanctions against the alcohol delivery app owned by Uber and its chief executive, with Rellas told it will have to put strong protections in place for consumers. people data wherever he works, now and in the future.
An order [PDF] written by the watchdog “ensures the CEO faces the consequences of the company’s negligence,” Samuel Levine, director of the FTC’s Consumer Protection Bureau, said in a statement. statement. “CEOs who take security shortcuts should take note.”
The proposed crackdown also requires Drizly and Rellas to destroy any personal data the company has retained that is not necessary to provide products or services to customers, and prevents the company from collecting this type of unnecessary customer information. in the future.
Additionally, the company and its CEO should implement better security controls, require employees to use multi-factor authentication, and provide security training to their employees. The FTC will decide whether to make the proposed order final after a 30-day period during which the public can comment on the penalties.
“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” said a Drizly spokesperson. The register.
“Rellas is responsible for this failure”
While the data snafu happened in 2020, the FTC complaint [PDF] Against the Biz said the security flaws dated back to at least 2018, when a Drizly employee posted login credentials for the company’s Amazon cloud computing resources on GitHub. This gave crooks access to Drizly’s backend servers to mine cryptocurrency on machines until the app maker changed their credentials.
According to the complaint, Drizly continued to fumble its IT defenses, and in 2020 those shortcomings led to a malefactor stealing a copy of its customer data.
An executive had gained access to the company’s GitHub account; this access was secured with a weak seven-character password and no multi-factor authentication, we are told. The intruder was able to log into the executive’s GitHub account using a password obtained from an unrelated security breach – so it would appear that the employee also reused the password elsewhere – and find Drizly’s Amazon cloud credentials in private source code and exfiltrate 2.4 million account records from a user database.
This database, according to the FTC, may have stored some or all of the following details, which would be very useful for identity thieves:
Passwords were also hashed using bcrypt or MD5, the latter being worthless and crackable.
The FTC complaint singles out Rellas for this clusterfsck, stating that the big cheese was “responsible for this failure because it failed to implement, or properly delegate responsibility for implementing, reasonable internet security practices. ‘information”.
Regulator chairwoman Lina Khan and commissioner Alvaro Bedoya added [PDF] that Rellas “presided over Drizly’s lax data security practices”.
Sanctions will follow Rellas even if he moves to another organization. “In the modern economy, business leaders sometimes move from one company to another, despite the imperfections of their backgrounds,” Khan and Bedoya noted.
Over the next decade, Rellas will have to implement a computer security program in any company that collects personal data from more than 25,000 people and of which he is the majority owner, CEO or senior executive with infosec responsibilities.
The action is part of “aggressive efforts” by the watchdog agency to protect private data and ensuring that “negligent CEOs learn from their data security failures,” according to the FTC press release.
However, not everyone – and not even all of the regulator’s commissioners – agree that holding CEOs in the fire is the right approach.
Despite the commission’s 4-0 vote in favor of sanctions, Commissioner Christine Wilson partially dissented, citing Rellas’ inclusion in the order. “While I support the claim against the corporate defendant, I do not support the liability of the individual defendant, Rellas,” she wrote. [PDF]. “This broad standard could effectively allow the Commission to hold the CEOs of most of the companies we take enforcement action against individually.”
“By appointing Rellas, the Commission has not warned the market that the FTC will use its resources to target lax data security practices,” Wilson continued, later in his statement. “Instead, he signaled that the agency will substitute its own judgment on corporate priorities and governance decisions for those of the corporations.”
“Open Pandora’s Box”
Mauricio Sanchez, research director who leads Dell’Oro Group’s network security research program, called the order “unprecedented” because it applies to future Rellas businesses.
“I fear the FTC has opened a Pandora’s box without fully considering the long-term effects down the road,” he said. The register.
“Also, it’s unclear whether the FTC has a process for individuals to challenge these kinds of personal decisions, as it appears it will follow them for the rest of their lives.”
Sanchez agreed that “blatant inaction on the part of the CEO” led to the violation of Drizly, but asked, “Do we really want a bureaucracy to be judge, jury and executioner on decisions that are so personal and long-term in nature?”
“I hope this will repel botched security CEOs, but ultimately I don’t think it will stop security breaches,” he added.
Gerry Stegmaier, partner in Reed Smith’s technology and data group, said holding executives personally accountable for corporate behavior “has been a recent staple of Biden-appointed officials seeking to push for increased accountability. businesses – especially for technology companies, and especially in conference rooms and the C-suite.”
Yet he said The register, he does not expect this to become the norm. However, this can discourage transparency and accountability when it comes to database security breaches.
“It’s much harder to sue people individually for things they didn’t know anything about,” Stegmaier said. “Unusually, in many systems, increasing direct personal accountability can interfere with actual improvements in security, privacy, or comparable compliance goals.”
While holding a CEO accountable for a security breach is “a slippery slope,” according to Brian Mannion, chief legal officer and chief data protection officer at Aware, the FTC’s action may mean additional power – or minus a larger budget – for the Chief Information Security Officers (CISO).
“This enforcement action will certainly provide CISOs with more ammunition when trying to implement proper security controls,” Mannion said. The register.
This is especially true if they do not want follow the footprints from former Uber security chief Joe Sullivan. ®