FTC Takes Action Against Drizly for 2020 Data Breach

The alcohol delivery company agrees to tighten data security practices amid allegations it knew of security lapses two years before a hacker stole 2.5 million customers' personal information.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Drizly bag and bottles and cans of alcohol

Drizly has agreed to tighten its data security practices after federal regulators accused the alcohol delivery company and its CEO of security lapses related to a 2020 data breach that exposed the personal information of 2.5 million customers.

The Federal Trade Commission said Monday it had reached a proposed consent agreement with Drizly, a Boston-based subsidiary of Uber that offers delivery of beer, wine and other alcoholic spirits to consumers of legal drinking age. The FTC alleged that the company and its CEO, James Cory Rellas, were alerted to security problems two years before the 2020 breach yet failed to act to protect consumers' data.

The proposed order limits the information the company can collect and retain and requires Drizly to implement a comprehensive data security program and destroy unnecessary data. The FTC said the proposed order also binds Rellas to specific data security requirements "for his role in presiding over unlawful business practices."

"Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company's carelessness," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in the statement. "CEOs who take shortcuts on security should take note."

In 2020, Drizly confirmed that a hacker had obtained some customers' personal data, including emails, date-of-birth information, passwords and, in some cases, addresses.

"We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us," a Drizly spokesperson said in a statement.

Uber bought Drizly for $1.1 billion 2021.

Read more: Best Alcohol Delivery Services for 2022