Drizly, a prominent online alcohol delivery startup, suffered from an attack from an external cyber-attack leading to a data breach. According to a company email to customers, an unidentified hacker took customer email addresses, dates-of-birth, passwords, and delivery addresses in some cases. As many as 2.5 million customers may have been affected, and data exposed may also include phone numbers and IP addresses.
While Drizly claims that the hacker did not steal financial data, a report from TechCrunch disputes that. The article alleges a “dark web marketplace from a well-known seller of stolen data” offered Drizly account information including credit card information; however, TechCrunch could not confirm the veracity of the dark web seller’s claims.
Despite the size of the breach seeming comparatively small, the prominence of the business affected has garnered significant attention from cybersecurity experts. Here’s what they had to say.
What Can Businesses Learn From the Drizly Data Breach?
Saryu Nayyar is CEO of Gurucul.
“The reported Drizly data breach is interesting for what it shows about attacker dwell time—the time between an initial breach and the victim noticing it. The stolen data has been available on the dark web since mid-February 2020, but the breach was only identified by Drizly on July 13th, 2020, and reported to customers on July 28th, 2020.
That is a 2-week delay between identifying the breach and informing affected customers. More importantly, indications are that the threat actor had access to Drizly’s systems for roughly 6 months, at least, before they were identified.
Dwell time has been going down for the last several years but, as this shows, it is still far too high. Tools exist that can reduce dwell time substantially, but organizations need to be proactive about adding them to their security suites.”
Ben Goodman is CISSP and Senior Vice President of Global Business and Corporate Development at ForgeRock.
“In today’s evolving fraud landscape, usernames and passwords are ineffective and insecure forms of authentication. Many times, passwords and usernames contribute to major security risks if they are compromised in data breaches since many users reuse login credentials across multiple accounts. In fact, 51 percent of people use the same passwords for work and personal accounts, which makes it easy for threat actors to reuse stolen login credentials to obtain access to additional profiles via credential stuffing.
Attackers are constantly on the prowl for consumers’ sensitive data. In fact, personally identifiable information (PII) was exposed in 98 percent of 2019 data breaches alone. Attackers will always take the path of least resistance to achieve their goal, and password reuse just makes it that much easier to attain unauthorized access to consumer data.
To reduce the risks of future data breaches caused by username and password insecurity, organizations must remove usernames and passwords. Fortunately, the technology needed to make this a reality is available today. Organizations can opt for users to use biometrics instead of passwords, and pin-protected keys instead of usernames during the authentication journey.”
Robert Prigge is CEO of Jumio.
“Drizly’s exposed email addresses, delivery addresses, credit card details, hashed passwords, birth dates and order history selling for $14 speaks to the abundance of personal data available for sale and just how inexpensive it is for fraudsters to commit account takeover and fraud. With this information, cybercriminals can decode passwords and log-in as the user allowing them to steal credit card information to make fraudulent purchases both on the site and elsewhere.
As most use the same password across accounts, fraudsters can use this same password to access the user’s banking accounts, social media profiles, unemployment benefit sites and more to steal benefits and change the password to lock the real user out. Drizly’s recommendation for customers to change passwords is not enough to keep user data protected. Online retailers (and any organization with a digital presence) have a responsibility to keep accounts protected to maintain customer trust. Biometric authentication (leveraging unique human traits to confirm identity) is far more secure and ensures only the legitimate user can access their account.”
Thanks to our cybersecurity experts for their time and expertise. Learn more in our Identity Management Buyer’s Guide.
- Identity Management Lessons from the UC San Diego Health Attack - July 28, 2021
- The Biggest IAM News Items During the First Half of 2021 - July 27, 2021
- When is it Time to Replace Your Homegrown Identity Management? - July 26, 2021