Board Pack (FTC v. Drizly 2022)

Use this to brief executives and counsel.

---

Purpose

This board brief provides decision-useful context for FTC v. Drizly 2022: the July 2020 incident, the October 2022 consent order, root causes in IAM and secure development, and specific oversight decisions requested from directors. It is designed to help the board evaluate governance adequacy, remediation priority, and reporting cadence across legal, technical, and operational dimensions.

Hallucinated writing examples

Scenario: In an illustrative period following the FTC October 2022 consent order after the July 2020 Drizly breach (time), the Chief Information Security Officer (role) prepares a board security brief (type) for Board Audit Committee (audience).

MEMORANDUM

To: Board Audit Committee
From: Chief Information Security Officer
Date: November 15, 2022
Subject: Board Security Brief — July 2020 Data Breach; FTC Decision and Order (Docket No. 2023185); Remediation Plan

This memorandum summarizes the July 2020 cybersecurity incident affecting approximately 2.5 million consumers, the Federal Trade Commission’s complaint and Decision and Order accepted October 24, 2022 (In the Matter of Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185), and the Company’s remediation and compliance program. The FTC did not impose a civil money penalty in this action; obligations are primarily injunctive and program-based, with individual duties on the CEO in future covered roles.

Incident Summary: In July 2020, an attacker compromised an executive’s GitHub account through credential reuse from an unrelated breach. The executive retained access after a short-term need, without multifactor authentication. The attacker accessed repositories containing cloud and database credentials, entered the production environment, and exfiltrated a user table with personal information for more than 2.5 million consumers. The Company did not detect the breach internally initially; we learned of it from external reporting that data was offered for sale.
The FTC alleged unfair security practices and deception regarding safeguards described in public statements.

Regulatory and Legal Outcomes: The consent order requires a comprehensive written information security program (coordinator, risk assessment, access controls, secure development, monitoring, vendor oversight), a published data retention schedule and minimization discipline, biennial independent assessments, and recordkeeping. CEO-specific obligations apply if he serves in a leadership role at another company meeting the order’s coverage thresholds. Management coordinates implementation with legal and compliance.

Control Failures and Root Causes: The FTC’s complaint and our internal review identified:

1. Storage of cloud and database credentials in source repositories;
2. Failure to enforce MFA and strong credential hygiene for GitHub and production administration paths;
3. Failure to revoke or monitor temporary elevated access after the one-day event;
4. Insufficient monitoring and detection for exfiltration and anomalous access;
5. Absence of a formal minimization and retention program aligned to actual collection practices;
6. Prior 2018 GitHub exposure of credentials without adequate sustained remediation.

These areas are the focus of our remediation plan.

Remediation and Order Compliance: The Company is implementing MFA for privileged and sensitive paths, secret scanning and pipeline blocking, access reviews and offboarding discipline, centralized logging with retention targets, detection engineering for crown-jewel data flows, a published retention schedule with deletion jobs, and biennial assessment procurement with FTC-ready reporting.

Approval and Endorsement Requests: Management requests the Committee’s approval of the written program framework and retention schedule for publication; approval of budget for SIEM, secret-management tooling, and independent assessments; and endorsement of executive accountability metrics on MFA coverage, mean time to revoke access, and retention compliance sampling.

Please let me know if additional information or further detail would be helpful.

Respectfully submitted,

Chief Information Security Officer

Document-type guide: Board Security Brief

Writing tips: Writing best practices — Board Security Brief