Drizly, an alcohol delivery startup, announced that it was affected by a data breach. In July 2020, the data of about 2.5 million users were hacked. According to the delivery platform, the hackers accessed the customer’s account and information on July 13.
Drizly is a successful platform with its branches all over the US and now expansion in Canada. The platform raised about $68 million, leaving behind Minibar and Delivery.com. This rapid spread speaks volumes about the efficiency of the delivery platform.
But its standard and prestige hit a blow in July 2020, leaving everyone shocked.
According to Ryan Toohil, the chief technology officer at Aura, ” Such attacks have been more than common now. Platforms with the highest user count are the main victim of such bad actors. With platforms like Drizly, getting the information of personal customers is much easier to access and exploit”.
This breach has proved to be an extremely deadly blow for Drizly, especially with the rise in popularity of the delivery service platform during the ongoing pandemic.
Drizly experienced an increase of 1700% in its sales during the pandemic. However, the platform saw a decrease in its profits and sales after the breach attack.
Keep reading to find out more about the breach and its after-effects.
The breached data included customers’ email addresses, date of birth, passwords, phone numbers, IP addresses, geolocation data, other billing information, and whatnot. The data that was reported to be stolen was checked against public records.
About 2% of the records contained users’ delivery addresses. Although Drizly stated that no financial information was compromised, this statement cannot be accurate. This is because a well-known seller was caught selling the customers financial information on the dark web.
This breach took place as a part of a much bigger spree carried out by a dangerous hacker named ShinyHunters. This hacker stated that he had about 386 million records accumulated from different big websites.
Drizly was further blamed for having poor security measures, taking no decisive steps to reverse the damage, and acting pretty insensitively.
How Serious was the Problem?
When Drizly learned about the breach, it immediately informed all of its customers via email. According to Drizly, the matter was brought under control, and security tightened. However, customers were still asked to change their passwords.
The class-action lawsuit was filed against Drizly. The lawsuit was filed on the basis that the security measures if Drizly weren’t strong enough to protect its user’s data and personal information. The customers affected were victims of fraud, identity theft, and many other violations.
Customers could claim a part in the lawsuit only if they were eligible. They had to fill in a claim form, ensuring they were eligible for a reward. This deal was extended to all US consumers who experienced a breach of their data.
Drizly tried its best to underplay the whole situation, but eventually, TechCrunch revealed the accurate details from which it could be seen that the extent of this breach was widespread. Drizly miserably failed at detecting the problem on time and taking the necessary steps.
How did Drizly Respond?
Drizly tried its best to underplay the whole situation, but eventually, the word got out. A spokesperson of Drizly stated that “as mentioned in the emails, no financial information was put at risk”. The last part was inaccurate as days later the financial information of Drizlys users was found on the dark web. According to Drizly, once they got to know about the breach, they immediately took action and worked closely with “law enforcement’s”.
A $7.1 million lawsuit was filed against the delivery service claiming that Drizly was the one that gave the hackers access to the user’s information. Drizly agreed to pay $1.05 million in a settlement.
It was decided by the court of Massachusetts that every customer affected by the breach would receive at least $14 along with a $1.99 account credit. The amount was open to changes depending upon the claims approved in the settlement.