The Federal Trade Commission announced Monday it has ordered alcohol-delivery service Drizly, and its CEO James Cory Rellas, to boost the company's security posture after a breach exposed the data of roughly 2.5 million customers.
The inclusion of Rellas in the FTC's complaint marks an escalation of the agency's attempts to deter potential company wrongdoing by holding executives personally responsible for it.
According to the FTC, in 2018, a Drizly employee posted company cloud credentials to GitHub, which allowed hackers to use Drizly servers for crypto mining for a time. Drizly said it had put protections in place to try to prevent that sort of incident, but the company wasn't even requiring employees to use two-factor authentication on GitHub and didn't monitor its network for unauthorized access and stealing of data.
Then in 2020, the FTC said, "a hacker breached an employee account, got access to Drizly’s corporate GitHub login information, hacked into the company’s database, and then stole customers’ information."
The agency said that Drizly, which is a subsidiary of Uber, must get rid of "unnecessary data," limit its future collection of consumers' information, narrow who can access data, train employees on security, and more. Rellas will even carry obligations with him if he takes certain jobs with other big companies.
The focus on Rellas comes as Democratic commissioners on the FTC in recent years have argued that company executives will be more likely to follow the law if they know they'll be personally on the hook for misdeeds. In practice, however, companies have protected their leadership and insisted chief executives may have overseen a particular incident without knowing much, or anything at all, about it.
The Democratic commissioners and would-be FTC reformers, for instance, long complained that the agency didn't depose Mark Zuckerberg following the Cambridge Analytica scandal in the investigation that led to a $5 billion fine for the company. Earlier this year, the FTC, now under the leadership of Big Tech critic Lina Khan, named Zuckerberg personally in a complaint to block Meta's acquisition of VR company Within.
The FTC, however, soon dropped him from the suit when he agreed not to buy the VR company in a personal capacity.