FTC Enforcement Action Against Company and CEO Provides Roadmap for Reasonable Data Security Measures

November 8, 2022November 9, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement account credentials, consumer privacy and security, FTC Act Section 5, FTC enforcement action, multi-factor authentication, passwords

Company’s Security Failures Exposed Data of 2.5 Million Consumers

By Kathie McDonald-McClure

On October 24, 2022, the Federal Trade Commission (FTC) announced enforcement action against Drizly, an online alcohol marketplace and subsidiary of Uber, and the Drizly CEO, over allegations that Drizly and the CEO failed to implement safeguards to prevent unauthorized access to consumer data stored on the Amazon Relational Database Service (Amazon RDS) that Drizly used to host its online marketplace platform. The FTC said that Drizly and its CEO were alerted to a security issue two years before the breach yet failed to take appropriate responsive action to secure personal information of consumers stored on Drizly’s Amazon RDS.

Employee posted company account login information on GitHub contributing to 2018 and 2020 security breaches. In 2018, a Drizly employee posted company cloud computing account login information on GitHub. GitHub is a free, online software development and hosting platform used for storing, tracking and collaborating on software projects. Drizly uses GitHub not only to manage and support its e-commerce website, but also to store spreadsheets, data sets, and repositories of past company data and projects.

The GitHub repositories included the AWS credentials used to access Drizly’s production environment. This security lapse allowed hackers to use Drizly’s servers to mine cryptocurrency in 2018. Upon discovering this, Drizly changed the login information for its cloud computing account and publicly claimed that it used adequate data security protections. Its website privacy policy stated: “We use standard security practices such as encryption and firewalls to protect the information we collect from you.”

Company employee is allowed access to GitHub repositories for a hackathon, using compromised credentials. According to the FTC complaint, in 2020 the company granted a company executive access to the GitHub repositories in order to participate in a one-day hackathon. The company failed to terminate the executive’s access after the event was over. At the time of granting such access, Drizly had not required unique and complex passwords nor multifactor authentication for access to the GitHub repositories. As a result, the executive had used a seven-character, alphanumeric password that he had used for other personal accounts and that was the subject of an unrelated data breach. The hacker used the executive’s compromised password to gain access to his GitHub account and to then access the company’s AWS and database credentials stored in the repositories. Ultimately, the hacker located the customer information stored on the company databases and put the information up for sale on two publicly available websites on the dark web.

Large volume of nonpublic, personal information was accessed by hacker. The FTC said Drizly’s security failures led to a breach of the personal information of about 2.5 million consumers. The personal information includes data collected from consumers who visited or placed e-commerce orders on the platform, such as name, age, email address, postal address, phone numbers, unique device identifiers, order histories, partial payment information, geolocation information, as well as personal information automatically collected from consumer computers and mobile devices by the website’s data collection tools.

In addition, the personal information included consumer data that Drizly purchased from third parties such as income level, marital status, gender, ethnicity, existence of children, and home value. The Drizly databases also contained consumer account passwords that were hashed using MD5 which the FTC said is “cryptographically broken and widely considered insecure.”

The FTC complaint provides a roadmap for minimum reasonable data security measures. The FTC complaint alleges that Drizly failed to implement “reasonable information security practices” to protect consumers’ personal information. These reasonable security practices include:

Continue reading →

FTC study identifies email tools businesses can use to screen out spoof email

March 24, 2017March 24, 2017 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement, Privacy & Security beware of phishing emails, cybercrime, domain level email authentication, domain message authentication reporting and conformance DMARC, identity theft, spoof email, tax fraud

phishing scams The Federal Trade Commission (FTC) Bureau of Consumer Protection released a study this month (March 2017) indicating that business entities could be doing more to stop malicious emails from hitting the inboxes of employees. The goal behind many malicious emails is to trick individuals into turning over either their own confidential, personal information or confidential business information to which the individual has access due to his or her job responsibilities. Cyber criminals use social media sites such as LinkedIn, an entity’s own website, Internet search engines and other public resources to identify individuals with likely access to valuable information. The attacker uses such information to compose an email that spoofs an otherwise legitimate sender, such as a bank, mortgage company, Internet service provider (e.g., AT&T, Verizon, Spectrum, etc.), a business partner or even another employee. These malicious emails are commonly referred to as “phishing email” or “spoof email”.

The FTC’s report, titled Businesses Can Help Stop Phishing and Protect their Brands Using Email Authentication (Report), states that many businesses are not taking advantage of Continue reading →

LabMD Appeals; Court Grants Temporary Stay

December 2, 2016December 5, 2016 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement, HIPAA, Privacy & Security data breach, Federal Trade Commission, FTC, LabMD

In a recent blog post entitled “FTC Issues Final Order and Data Security Lessons in LabMD Case,” we discussed the Federal Trade Commission (“FTC”)’s Final Order in the LabMD case. The FTC found that LabMD failed to provide reasonable and appropriate security for its customers’ personal information and that this failure caused (or was likely to cause) substantial consumer harm constituting an unfair act in violation of the law. It ordered LabMD to implement a number of compliance measures, including creating a comprehensive information security program, undergoing professional routine assessments of that program, providing notice to any possible affected individual and health insurance company, and setting up a toll-free hotline for any affected individual to call. Although LabMD has closed its doors and has limited resources to comply with the FTC’s Final Order, it appealed the Final Order to the U.S. Court of Appeals for the Eleventh Circuit. At the same time, it sought a stay from the FTC, which would halt these compliance measures pending the court’s review. The FTC denied the stay, so LabMD then asked the Eleventh Circuit to grant the stay.

On November 10, 2016, the Eleventh Circuit granted LabMD’s motion to stay enforcement of the Final Order pending appeal. A copy of the court’s Order granting the stay is available here. When issuing the stay, the court found that there existed a serious legal question as to Continue reading →

FTC issues Final Order and data security lessons in LabMD case

August 16, 2016August 17, 2016 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement, HIPAA, Privacy & Security data breach, Federal Law Resources, Federal Trade Commission, FTC Act Section 5, LabMD, NIST, P2P file-sharing networks, privacy and security of protected health information

On July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ). The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act. It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network. Two alleged security incidents form the basis of the Complaint. In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD. In the second incident, dozens of day sheets and a small number of Continue reading →

Federal Agency to Develop Model Privacy Notice for Healthcare Apps

February 29, 2016February 29, 2016 Kathie McDonald-McClure Data Privacy & Security, FTC Enforcement, Health Information Technology data privacy, data security, FTC Enforcement, mHealth, mobile apps, wearable technology

On Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for “personal health records” (PHRs), which was the emerging technology at the time. ONC noted that since 2011, many retail healthcare apps such as exercise trackers and other wearable technology, have emerged and that consumers using such technology should be informed on how data collected through such apps is being used by the app developer and other third parties. ONC stated that the MPN is “a voluntary, openly available resource designed to help developers provide transparent notice to consumers about what happens to their data.”

Importantly, healthcare app developers should take heed that ONC is not the only federal agency interested in ensuring that there is adequate consumer protection for individuals taking Continue reading →

Wyatt HiTech Law Blog

A legal blog about consumer and business data privacy and security in a high tech world

FTC Enforcement