It was announced today that Drizly, an alcohol delivery startup, experienced a data breach. In an email to customers obtained by TechCrunch, the company said that a hacker “obtained” some customer data. The hacker took customer email addresses, date-of-birth, hashed passwords, and in some cases delivery addresses.Drizly did not say when the hack occurred or how many accounts were affected, but did advise users to change their passwords.
Although Drizly.com claims they weren’t aware that their data was compromised until July, there’s evidence that their customer data has been for sale on the Dark Web since February. So how come nobody caught this earlier? This incident should remind companies, not only just about the general importance of having good security, but more specifically about the importance of having a disclosure policy in place. I’m not sure if Drizly.com had one in place, but having a disclosure policy is a really important thing since it allows companies to learn about breaches as quickly as possible.
When you have a startup that’s really rockin’ it in terms of sales and growth, they definitely become a target to bad actors. Many times, startups don’t have the most put-together security team, if any team at all. It’s important, however, for companies to invest in security from the get-go. Without security, you’re bound to have issues – it’s not “if,” but “when.
To clarify, this incident with Drizly.com was not conducted by a hacker, it was a malicious actor, that is, someone/group with malicious intent to steal, disrupt and exploit – they\’ll use any means necessary to achieve their goals and cause havoc. In contrast, a hacker is a skilled computer expert whose goal is to find vulnerabilities in a system in order to create a breach.
Drizly is an incredibly popular service used by both consumers and organizations. This is why the Drizly data breach shouldn’t be treated as just another smash and grab of user data, but as a potential spring board for further attacks, especially on companies that used the service.
A recent CyberArk study showed that 93% of people reuse passwords across applications and devices, which is why a breach of this nature can be a boon to attackers. It allows them to take advantage of password reuse to gain access to other assets and applications and, when combined with the growing number of privileged users across organizations, potentially enables the start of much more targeted and damaging attacks. Added to this, the loss of personal data is hugely distressing for the victims, resulting in continued targeting by cyber criminals using their data to perform identity fraud and social engineering scams.
The reported hack of Drizly is another reminder that consumers should regularly update their user credentials and passwords and that diligence and preparedness isn\’t always enough to keep hackers at bay. It is important that Drizly not try to play the victim in this situation. Either the hackers stole sensitive information or they didn\’t. Be transparent and reassure your customers that you are doing everything in your power to protect them.
It\’s safe to say that all companies value their privacy and work around the clock to protect proprietary information from their customers and partners. But valuing privacy and actually taking the necessary means to secure data oftentimes aren\’t aligned. To corporate America, it\’s inevitable that your network will be compromised and the companies that rebound from a compromise by smelling more like roses than moldy cheese are the ones that truly value security. Today, there is no silver bullet to prevent hackers from penetrating a network because you can\’t prevent the inevitable from happening but you can improve your security hygiene, hire a team of threat hunters and be diligent.
Drizly users should change their passwords as well as the passwords of any other accounts that share the same password. If the passwords are cracked, hackers will try using them to log in to other accounts, an attack known as credential stuffing. Users should also be on the lookout for targeted phishing messages from scammers posing as Drizly or a related company.
The dark web listing is concerning but isn\’t necessarily proof that Drizly leaked credit card information. The credit cards could have come from a separate database and merged with Drizly\’s using common identifiers, such as email addresses. The screenshot of the dark web listing shows zero sales so far, so no one has left feedback on whether the data is valid or not (as of when the screenshot was taken).
The reported Drizly data breach is interesting as it shows clearly just how long the attacker was able to have access to Drizly’s internal systems without being noticed. We call this the \’detection gap\’ — the time between an initial breach and the victim noticing it. The stolen data appears to have been available since February, but the breach was only identified by Drizly on July 13 and reported to customers earlier this week
That is a two-week delay between identifying the breach and informing any affected customers. The ‘detection gap’ has been going down for the last few years but, as this attack shows, it is still far too high. There are solutions that can reduce mean time to detection substantially. Organisations and their security teams are out gunned by today\’s attackers in terms of resources and skills. Security teams often have to spend huge amounts of time managing the security systems, which means less time focusing in on the threats. One clear way to reverse this challenge is using analytics and automation. These can help reduce the burden on security teams, bring better visibility to the threats they are facing and allow them to respond and react faster to attacks.