FTC v. Drizly, LLC (2022) — Credential Stuffing and Reasonable Security¶
Table of contents¶
- Executive Summary
- Regulatory and Legal Outcomes
- Security Technical Summary
- Understanding Regulatory and Court Orders
- Case Pack Documents
- Facts and Timeline
- References
Executive Summary¶
In or around July 2020, an attacker gained access to Drizly’s production systems and exfiltrated personal information of approximately 2.5 million consumers. The Federal Trade Commission (FTC) investigated and alleged that Drizly, LLC, and its Chief Executive Officer failed to implement reasonable information security practices, leading to the breach. The company did not detect the intrusion; it learned of the incident from media and social media reports that customer data was offered for sale on dark web forums.
The FTC filed an administrative complaint in October 2022 and simultaneously announced a proposed consent order. The order required a comprehensive information security program, data minimization and retention limits, and—notably—binding obligations on the CEO personally if he moves to another company that collects consumer data above a specified threshold. The matter was resolved by consent; no litigated opinion was issued.
Regulatory and Legal Outcomes¶
FTC Enforcement¶
The Federal Trade Commission alleged that Drizly’s security practices were unfair under Section 5 of the FTC Act and that certain public statements about security were deceptive. The FTC did not impose a monetary penalty. The Decision and Order (consent order) requires Drizly to implement a comprehensive information security program, restrict data collection and retention, obtain biennial independent assessments, and comply with reporting and recordkeeping obligations. The order also imposes obligations on the CEO individually for future roles at companies that collect covered consumer data.
Legal Theory¶
- Unfairness: Failure to use reasonable security measures caused or was likely to cause substantial injury to consumers that was not reasonably avoidable and not outweighed by countervailing benefits.
- Deception: Representations that Drizly used appropriate safeguards to protect personal information were false or misleading in light of the alleged failures.
Security Technical Summary¶
Summary¶
The breach resulted from credential reuse and inadequate access controls. An attacker obtained access to an executive’s GitHub account (using credentials from an unrelated breach), then used that account to access Drizly’s GitHub repositories. Those repositories contained AWS and database credentials stored in source code. The attacker used the credentials to modify AWS security settings and access Drizly’s production environment, including databases holding millions of consumer records. Drizly had experienced a prior security incident in 2018 involving exposed AWS credentials on GitHub but did not implement adequate policies, access controls, or monitoring to prevent recurrence.
Attack Chain¶
- An executive was granted access to Drizly’s GitHub repositories for a one-day event; access was not revoked afterward.
- The executive’s GitHub account used a weak, reused password and did not use multifactor authentication.
- An attacker obtained the executive’s credentials (e.g., from another breach) and logged into the GitHub account.
- The attacker accessed Drizly repositories containing AWS and database credentials in source code.
- The attacker used the credentials to modify AWS settings and access Drizly’s production environment.
- The attacker exfiltrated the User Table containing more than 2.5 million consumer records.
- Drizly did not detect the breach; it learned of the incident from external reports of data offered for sale online.
Engineering Takeaways¶
Identity and access management (IAM)
- Enforce multifactor authentication for all accounts with access to source code or production credentials.
- Implement role-based access, routine access reviews, and timely offboarding.
Secrets and credential management
- Prohibit storing credentials in source repositories; implement continuous secrets scanning and remediation workflows.
- Treat credential reuse and credential stuffing as expected threats; implement detection and rate limiting for anomalous access.
Cloud security and monitoring
- Maintain logging and monitoring sufficient to detect anomalous access and data exfiltration; retain evidence for investigation and regulatory requests.
- Apply change control and review to high-risk cloud security settings.
Data security (minimization and retention)
- Retain personal information only as long as necessary; publish and enforce a data retention schedule; delete or de-identify data when no longer needed.
Program governance and assurance
- Maintain a written information security program with clear ownership, risk assessment, training, testing, and service provider oversight.
- Maintain evidence of implementation and prepare for biennial independent assessments required by the FTC order.
Understanding Regulatory and Court Orders¶
Read the originals—the FTC complaint and consent order below are the authoritative sources. Use the Understanding regulatory and court orders page to interpret them and turn findings into action.
| Document | Date | Source | Key obligation |
|---|---|---|---|
| Complaint — In the Matter of Drizly, LLC, et al. | Oct. 24, 2022 | FTC | Alleged unfair and deceptive practices; failure to implement reasonable security |
| Decision and Order — Drizly, LLC, and James Cory Rellas | Oct. 24, 2022 | FTC | Information security program, data minimization, assessments, individual CEO obligations |
Case Pack Documents¶
| Case Document | Summary | Writing Scenario |
|---|---|---|
| Executive and board | ||
| Board Pack | High-level security status and top risks for the board. | CISO delivers board security brief to Board Audit Committee following FTC consent order (Nov 2022). |
| Executive Security Risk Summary | Consolidated security risks and mitigation for executives. | Security Director produces executive security risk summary for CEO and leadership after FTC order. |
| Security Program Status Report | Program health, metrics, and progress for leadership. | Lead Security Engineer submits status report to Security Director and CISO following breach and FTC order. |
| Strategic Security Initiative Justification | Business case for a major security initiative. | CISO presents business case for security program and data minimization initiative to leadership. |
| Regulatory and compliance | ||
| Regulatory Security Explanation | Explain security posture and controls to a regulator. | Security lead submits explanation of security program and consent order compliance to FTC. |
| Compliance Justification Document | Justify how controls meet a requirement or framework. | Lead Security Engineer produces compliance justification mapping controls to FTC order and framework. |
| Controls → Evidence Map | How controls are implemented and evidenced. | Security or control owner maps controls to evidence for regulator or auditor. |
| Governance Response Memo | Respond to an audit or regulatory request on governance. | CISO submits governance response memo addressing FTC order and program oversight. |
| Legal-technical | ||
| Detailed Narrative of Events | Chronological factual narrative for legal/regulatory use. | Security or legal prepares chronological narrative for counsel or regulator. |
| Security Architecture Explanation for Legal Review | Explain architecture and controls for counsel. | Lead Security Engineer produces security architecture memo for General Counsel. |
| Risk Register | Justify risk acceptance or mitigation for legal/audit. | Security Director maintains risk register for leadership and audit. |
| Security Decision Documentation | Record a significant security decision and rationale. | Security Director documents security decision record for board and counsel. |
| Policy and governance | ||
| Security Policy Draft | Draft or update an enterprise security policy. | Security Director drafts enterprise security policy for CISO, Legal, and board. |
| Security Governance Memo | Define or clarify governance roles and escalation. | CISO issues internal security governance memo to leadership. |
| Security Program Justification | Justify program scope, resourcing, or structure. | CISO presents security program justification to CEO and board. |
| Internal Security Directive | Directive or mandate from leadership on security. | CISO issues internal security directive on access control and data retention. |
| Public communication | ||
| Security Public Statement | Draft for press or public breach/incident statement. | CISO drafts public statement for consumers and partners after breach disclosure. |
| Customer Security Explanation | Explain a security topic or incident to customers. | CISO drafts formal customer notice for affected consumers. |
| Security Transparency Report Section | Section for an annual or ad-hoc transparency report. | CISO drafts security section of transparency report for public and partners. |
| Operational (case-pack specific) | ||
| Audit Packet Checklist | What to produce within 48 hours for evidence readiness. | Checklist for audit or regulator request. |
| Implementation Checklist | 0–30 / 30–60 / 60–90 day execution plan. | Security or program owner executes plan for leadership or board. |
Facts and Timeline¶
-
2018 — A Drizly employee posts AWS credentials to a personal public GitHub repository; credentials are exploited before Drizly can rotate them (servers used for cryptocurrency mining). Drizly is on notice of risks from exposed credentials and GitHub access.
-
April 2018 — An executive is granted access to Drizly’s GitHub repositories for a one-day event; access is not revoked or monitored after the event.
-
Early July 2020 — An attacker gains access to the executive’s GitHub account via credential reuse (credentials from an unrelated breach). The account used a short, reused password and no multifactor authentication.
-
July 2020 — The attacker uses the executive’s GitHub access to obtain AWS and database credentials stored in Drizly’s repositories, modifies AWS security settings, and exfiltrates the User Table containing personal information of approximately 2.5 million consumers.
-
July 2020 — Drizly does not detect the breach internally. It learns of the incident from media and social media reports that customer data is offered for sale on dark web forums.
-
Oct. 24, 2022 — The FTC files an administrative complaint against Drizly, LLC, and James Cory Rellas (CEO) and announces a proposed consent order. The order is accepted by the Commission; no monetary penalty is imposed. The order requires an information security program, data minimization, biennial assessments, and—for the CEO—binding obligations if he moves to another company that collects consumer data from more than 25,000 individuals.
References¶
Primary (official documents)
- FTC Complaint — In the Matter of Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185, Oct. 24, 2022. Complaint (PDF)
- FTC Decision and Order — In the Matter of Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185, Oct. 24, 2022. Decision and Order (PDF)
Cited
-
Federal Trade Commission. FTC Takes Action Against Drizly and Its CEO for Security Failures That Exposed Data of 2.5 Million Consumers, Oct. 24, 2022.
https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action-against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million -
Federal Trade Commission. In the Matter of Drizly, LLC — case page and document index.
https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3185-drizly-llc-matter