(Bloomberg) -- The Federal Trade Commission is penalizing alcohol delivery company Drizly Inc. and Chief Executive Officer Cory Rellas for alleged security lapses related to a 2020 data breach that exposed the personal information of 2.5 million consumers.
The proposed order requires Drizly, now a subsidiary of Uber Technologies Inc., to destroy unnecessary data and restricts the information the company can collect and retain, according an FTC statement on Monday. It binds Rellas to data security requirements “for his role in presiding over unlawful business practices.”
In an unusual move, the FTC order applies personally to Rellas and will move with him even if he leaves Drizly. He will be required to implement an information security program at future companies if that company collects consumer information from more than 25,000 people, and where he is a majority owner, CEO or senior officer with information security responsibilities, according to the statement.
“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in the statement. “CEOs who take shortcuts on security should take note.”
In 2020, the alcohol delivery service acknowledged that a hacker acquired some of its customer data, including emails, date-of-birth information, passwords and in some cases, addresses.
Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers, according to the FTC’s complaint.
“We take consumer privacy and security very seriously at Drizly, and are happy to put this 2020 event behind us,” a Drizly spokesperson said in a statement.
Uber bought Drizly for $1.1 billion 2021.