Drizly, the biggest name in online alcohol delivery services (that also provides sales data we usually hype) had a data breach recently. Multiple outlets have confirmed that the hacker stole customer email addresses, dates of birth, passwords and even some delivery addresses. This is around 2.5 million accounts we’re talking. Drizly says no credit card data was take, but TechCrunch found a post on a dark web marketplace that claims otherwise.
This is obviously not good, but it’s also a big-time warning to beer drinkers and the craft beer industry at-large as it embarks on a new online sales / delivery-focused model.
Cyber attacks on the rise
We reached out Aura, a cybersecurity specialist, for their thoughts on this Drizly breach and any words of caution for the adult beverage industry going forward.
Hamed Saeed, General Manager of Aura Identity Guard: “We are already seeing cyber attacks skyrocket during the quarantine. Many of our B2B partners have come to us after experiencing tax or unemployment fraud during quarantine, and we expect similar attacks to continue during these economically uncertain times. COVID has accelerated digital transformation, so adapting digital behavior when using all forms of technology is essential in curbing cyberattacks.”
Ryan Toohil, Chief Technology Officer, Aura: Digital platforms like Drizly being targeted doesn’t come as a surprise. The number of users on a platform is directly correlated with data value—the more users, the more valuable the data. Delivery services like Drizly in particular house personal consumer data that can be used as a catalyst for other digital exploits. Email, address, date-of-birth, and other personal information gained from a breach is often times enough to get past security questions on other platforms and sites. There are also implications for tax or unemployment fraud, which are already growing during these economically uncertain times.”
Cyber security best practices
Saeed: “All businesses, including breweries, need to ensure they establish internal protocols to protect customer data, including limiting employee access to customer information that can be exploited. Limiting access to information like customers’ date of birth, address, and email is a good first step. This is the kind of data that can be enough to get through security questions on other sites; that’s often the intent of using data in a breach.”
I’ll also refer you to this article in our archives in which we asked Larry Chasin, insurance program manager at BreweryPak, what his firm recommends for breweries in need of stepping up cyber security protection.
“Considering POS intrusion is the second leading cause of a breach, merchants must become more compliant in accepting credit cards with chip technology,” he said. “In fact, as of October 1, 2015, all merchants should have the proper processing technology for accepting chip cards. However, most merchants in the U.S. do not, as the estimated number in compliance sits below 50 percent.”
Merchants without this chip card processing technology are more vulnerable to a data breach and won’t be reimbursed by the payment card industry for fraudulent credit card transactions. For example: Purchases made from a stolen credit card will not be compensated if the merchant isn’t following the “standards” for credit card processing technology. On top of that, they are subject to fines from the payment card industry which are typically covered under Cyber Risk coverage.
Cyber Risk coverage typically addresses third-party liability of insureds, as well as wrongful acts including infringement of copyright or trademark and defamation. These are typically associated with content posted to a website. Breaches that may reveal personally identifiable information of others or cause transmission of a virus to a third party should also be covered. The first-party expenses breweries should think about include extortion threats, business income, public relations, legal fees and credit monitoring.
Note that these exposures are not covered under the typical property and liability policy. In order to address these risks, specialized endorsements and policies must be made. We’d suggest finding an insurer that specializes in breweries and wineries and understands their unique risk exposures is best-suited to provide brewery owners with the cyber coverage options that are right for you.
“From a risk management perspective, breweries should make Cyber Risk prevention a high priority for all levels of leadership,” Chasin said. “Cyber Risk prevention is no longer just an IT issue but a responsibility to be shared by all employees no matter their position. It’s important to have policies and procedures in place regarding the handling of personal information and social media use. An organization’s security is only as strong as its weakest link, making employee training and awareness a priority. Limit data access to only authorized personnel and properly train employees on cyber security issues to keep your company protected.”
Tips for users
Toohil: “Users can’t do anything about an app’s security infrastructure, but they can be cautious about their own digital behavior. If it’s an application on your smartphone, a popular social media platform, etc. users should take measures to strengthen passwords and ensure two-factor authentication is enabled when available. It sounds obvious, but the best thing users can do is leverage the places they do exert control: the information they are sharing with various apps and technologies.
“During a time when we all are opting for convenience, consumers are going to continue using a wide variety of technologies that are vulnerable. Now is a great time to think about things to secure your digital presence like a password manager, two-factor authentication whenever available, and ensuring your devices and software are up-to-date. Less intuitively, providing known “bad” info for security questions can be a great way to ensure a breach like this can’t be used to get into other apps. Provide fake birthdays and addresses when possible, and store them in your password manager. That way, if your data is breached, it can’t be used to get into a service that requires your actual information.”
Saeed: “The best thing users can do immediately is exercise control over the information they choose to share, and use tools like Identity Guard to get the protection needed to keep their digital information safe.”