Drizly — and its CEO — are currently in hot water with the Federal Trade Commission (FTC) after a series security failures at the alcohol delivery company.

Drizly allegedly risked the personal data of some 2.5 million customers through inadequate security measures, according to an Oct. 24 press release from the FTC. As detailed in the formal complaint, CEO James Cory Rellas were reportedly made aware of security issues two years prior to a 2020 breach but failed to take proper action.

In the complaint, the FTC outlines four main areas of concern at Drizly: absence of basic employee security measures, data storage on unsecured platforms, lack of security threat monitoring, and history of consumer data leaks. It also cites a specific timeline of security concerns at the company.

In 2018, a Drizly employee reportedly posted login information for a company account on Github, a software development platform.

“As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account,” the press release states. “Drizly failed to take steps to adequately address its security problems while publicly claiming to have appropriate security protections in place.”

In a 2020 data breach, consumers’ personal data was also allegedly listed for sale on the dark web, putting users at risk for financial fraud, identity theft, and other debt-related issues.

The FTC order requires that the company institute several data protection practices, including eliminating non-essential consumer data from its servers and in the future only collecting necessary data. The administrative order also requires Rellas to take responsibility for the company’s security practices, even if the CEO chooses to leave Drizly and work at another organization.

Naming a specific executive in an administrative complaint is a rare move for the FTC, according to The Washington Post.

Drizly, an online marketplace for beer, wine, and alcohol consumers, utilizes Amazon Web Services to store users’ personal information. That data could include email, physical addresses, phone numbers, geolocation, and other details. Drizly is a subsidiary of Uber.

This story is a part of VP Pro, our free content platform and newsletter for the drinks industry, covering wine, beer, and liquor — and beyond. Sign up for VP Pro now!