Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: FTC finalises order against Drizly over data breach affecting 2.5M consumers

The Federal Trade Commission ('FTC') announced, on 10 January 2023, that it had finalised an order against Drizly, LLC, for violation of § 5(a) of the Federal Trade Commission Act ('the FTC Act'), due to security failures at Drizly which had led to a data breach exposing the personal information of approximately 2.5 million consumers, following the issuance of a proposed order on the same.

Background to the order

In particular, the FTC reported that Drizly had been alerted to security vulnerabilities two years prior to the 2020 breach, and yet failed to take steps to protect consumers' data from hackers despite publicly claiming to have appropriate security protections in place.

Findings of the FTC

More specifically, the FTC found that Drizly did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies, or train employees on those procedures.

Furthermore, the FTC noted that Drizly stored critical database information on an unsecured platform and neglected to monitor its network for security threats, as well as not putting a senior executive in charge of ensuring that Drizly was keeping its data secure, nor monitoring its network for unauthorised attempts to access or remove personal data. To this end, the FTC concluded that these failures allowed a malicious actor to access Drizly's consumer database and steal information relating to 2.5 million consumers.


Accordingly, the FTC's order, among other things, requires Drizly to:

  • destroy any personal data it collected that is not necessary for its specific purposes;
  • refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule;
  • publicly detail on its website the information it collects and why such data collection is necessary; and
  • implement a comprehensive information security program and establish security safeguards.

You can read the announcement here and the finalised order here.