Hacker News new | past | comments | ask | show | jobs | submit login
FTC Takes action against Drizly and CEO following security breaches (ftc.gov)
89 points by thrownaway996 on Oct 25, 2022 | hide | past | favorite | 20 comments



I am genuinely curious: why did the FTC take this enforcement action?

There is no fine, no prosecution, no consequences of any sort. Essentially, they're just asking the executive to "implement an information security program" at any companies they head.

This seems to send the message that there are absolutely no consequences for getting caught hiding an extremely negligent data breach. Was that the FTC's intent?


Since last year's AMG case in the Supreme Court, the FTC is not authorized to seek monetary relief in these cases.

The FTC can seek monetary relief if this order is violated.


There is this condition

> Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information

I'm not aware of any other decree following the CEO to other companies.


Interesting - as cybersecurity insurance becomes more popular, I'm curious how orders like this will affect that. Maybe there will be a new checkbox on insurance forms saying "I'm not personally sanctioned by the FTC for information security lapses"


That's an interesting thing to hang around his neck. You'd hope all companies like that (25k+ customers) already have an information security program though. Maybe Relias can take it as a selling point and has a future as an infosec CEO?


FTC isn't the DOJ. They can't prosecute anything.


They can file for injunctive relief and issue cease and desist orders. If those orders aren't followed, they can proceed with monetary relief as well.

The FTC can do whatever congress authorizes them to do. The supreme court decided that what congress laid out in law required the FTC to file the cease and desist first, and then if that order is violated, then they can peruse further action.


> Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers.

That seems less than ideal.


Is there any sort of browser extension that shows number of known security breaches when you visit a website? Would be interesting.


How would you propose tallying up the number of security breaches?

You would need a way to collect breaches by company, and then a way to tie companies to their URLs. Additionally, is solarwinds a Microsoft breach?

If there were a repository of known security breaches, I think the rest could be done manually or fairly easily for a specific list of websites.


I’d be interested in this


Honestly, somebody should take action against Drizly for how easy they make buying alcohol underage if anything (not that I care).


How does Drizly change that? I've had to show ID to prove age for the few Drizly orders I've made (even if there wasn't alcohol in the delivery). If the teenager already has a fake ID, how does Drizly move the meter on how easy it is to get alcohol?


Drizly drivers don’t scan. Most liquor stores scan.


Wait you mean.. the company who photographed your id is in the wrong? Who could have guessed they'd be this crap at info security.


I did not know that Drizly was an Uber subsidiary. I wonder how much of the "disregard for authority" DNA of Uber got on them?


Drizly was a separate startup that was bought by Uber in 2021


Based on this it seems the leaves don’t fall to far from the tree


They turned out to be a real shit-apple, Randy.


They were data hungry before the uber acquisition.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: