Incident & Breach Response , Security Operations , Standards, Regulations & Compliance

Did Uber's Delivery Service Drizly Die Due to Data Breach?

Closing of the Alcohol Delivery Service Follows Federal Crackdown for Poor Security
Did Uber's Delivery Service Drizly Die Due to Data Breach?
The U.S. Federal Trade Commission in 2022 accused Drizly of failing to deliver on cybersecurity. (Image: Shutterstock)

It's last call for Drizly, the alcohol delivery service Uber bought for $1.1 billion in 2021.

See Also: Cyber Insurance Assessment Readiness Checklist

Drizly, which operates across 36 U.S. states - the company says it has millions of customers - will continue to accept orders until the end of March.

"We've decided to close the business and focus on our core Uber Eats strategy of helping consumers get almost anything - from food to groceries to alcohol - all on a single app," said Pierre-Dimitri Gore-Coty, Uber's senior vice president of delivery, in a statement. News of Drizly's pending closure was first reported Tuesday by Axios.

E-commerce accounts for only a small fraction of total U.S. alcohol sales. Pre-pandemic, sales of beer, wine and spirits online accounted for less than 1%, growing to almost 3% by 2022, reported market researcher Statista.

Whether or not Drizly's past cybersecurity missteps played any part in its being retired by Uber is unclear.

In October 2022, the company reached a settlement with the U.S. Federal Trade Commission over a July 2020 data breach in which hackers stole information pertaining to 2.5 million customers.

The stolen information included names, email and physical addresses, passwords, partial payment information and data collected for marketing purposes - including income level, marital status and home value. The data appeared to be available for download on data breach forums.

As part of the settlement, Drizly reached a 20-year agreement with the FTC that requires it to minimize the amount of data it collects on customers and to restrict employees' access to such data by using phishing-resistant multifactor authentication. Whether or not these stipulations will now apply to Uber Eats remains unclear.

"We're still evaluating the situation and can't comment at this point," an FTC spokesperson told Wine-Searcher.

Uber didn't immediately respond to a request for comment.

Uber's Cybersecurity Journey

The ride-hailing app is six years into its two-decade-long period of oversight by the FTC, following multiple data breaches and cybersecurity missteps. Those include a 2016 data breach affecting tens of millions of Uber account holders, for which a federal jury convicted former Uber CSO Joe Sullivan of misleading federal investigators (see: Joe Sullivan Tells Black Hat Europe: 'Choose Your Own Destiny').

Almost no company has ever gone out of business or suffered any measurable long-term impact to its reputation due to a data breach. A small handful of exceptions exist, including breached cryptocurrency exchanges that collapse because they don't have sufficient digital coins left to continue operating, such as Mt. Gox. Another exception involved Yahoo, which took a $350 million haircut on the purchase price agreed with acquirer Verizon in 2017 after revelations showed previous Yahoo data breaches had been much worse than initially reported.

FTC Singled Out Drizly's Then-CEO

The Drizly breach was another rare time the regulator singled out an executive over a data breach - in this case, the company's then-CEO, James Cory Rellas, who co-founded the company in 2012. The settlement agreement stipulated that for the next 20 years, if he were to take a senior position inside another company, he would be responsible for ensuring and demonstrating that the organization had a robust information security program in place.

In January 2023, Cathy Lewenberg, who joined Drizly in May 2020 as its chief operating officer, became CEO, replacing Rellas. At that time, he became global head of beverage alcohol at parent company Uber, reported Global Drinks Intel.

At the time of its 2020 beach, Drizly assured customers their passwords were being stored securely, including by hashing. What the company failed to make clear, the FTC said, was that the hashing involved using the long-deprecated MD5 algorithm, which the Software Engineering Institute in 2008 declared to be "cryptographically broken and unsuitable for further use." Experts say reversing an MD5-hashed password to recover the actual password has long been a trivial issue.

In fact, many security experts have said MD5 was never meant to be used to protect passwords at all, as a seemingly nonstop spate of data breaches involving MD5-hashed passwords in the 2010s - including at Ashley Madison, Russian web portal Rambler, Last.fm, Yahoo and many more organizations - continued to highlight.

"We take consumer privacy and security very seriously at Drizly and are happy to put this 2020 event behind us," the company said after reaching its 2022 settlement agreement with the FTC.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.