American alcohol delivery giant Drizly has admitted to suffering a major data breach that involved the theft of personal information of up to 2.5 million customers, including their phone numbers, addresses, IP addresses, and geolocation data.
Drizly is the world's largest alcohol marketplace, offering customers the convenience of ordering their favourite drinks from a huge selection of beer, wine, vodka, whiskey, gin, rum, brandy, or tequila. The e-commerce firm operates in over a hundred cities across North America and also has a sister brand named Lantern which is an on-demand cannabis home delivery service.
Earlier today, Tech Crunch learned that Drizly wrote an email to its customers about a major data security incident that involved the theft of up to 2.5 million customer accounts and staff accounts by hackers.
Information obtained by hackers included customers' email addresses, billing addresses, dates of birth, hashed passwords, their IP addresses, and geolocation data associated with their addresses.
“In terms of scale, up to 2.5 million accounts have been affected. Delivery address was included in under 2% of the records. And as mentioned in our email to affected consumers, no financial information was compromised,” said a Drizly spokesperson.
However, a recent listing in a Dark Web marketplace accessed by Tech Crunch revealed that hackers were able to steal the financial information associated with the stolen customer accounts. The listing boasted about containing valid credit card details and was put up for sale for just $14.
A copy of Drizly's data breach notification
"The reported Drizly data breach is interesting as it shows clearly just how long the attacker was able to have access to Drizly’s internal systems without being noticed. We call this the 'detection gap' — the time between an initial breach and the victim noticing it. The stolen data appears to have been available since February, but the breach was only identified by Drizly on July 13 and reported to customers earlier this week," said Dan Panesar, director, UK & Ireland, at Securonix.
"That is a two-week delay between identifying the breach and informing any affected customers. The ‘detection gap’ has been going down for the last few years but, as this attack shows, it is still far too high. There are solutions that can reduce mean time to detection substantially.
"Organisations and their security teams are out gunned by today's attackers in terms of resources and skills. Security teams often have to spend huge amounts of time managing the security systems, which means less time focusing in on the threats.
"One clear way to reverse this challenge is using analytics and automation. These can help reduce the burden on security teams, bring better visibility to the threats they are facing and allow them to respond and react faster to attacks," he added.
Drizly is yet to confirm whether it was a ransomware attack, a credential-stuffing attack, or just human error that resulted in the massive breach of customer records. However, unlike many other businesses that have been forced to cull their staff or shut their doors due to the pandemic, Drizly saw sales rise by 400% in May alone due to stay-at-home advisories.
While we wait for further details about the data security incident to arrive, it is still too early to speculate but a ransomware attack may seem the perfect kind of a cyber attack to target companies that have seen their fortunes rise in the middle of a pandemic.