in Newswire Published on August 12, 2020

Drizly Hit with Class Action Over Data Breach Reportedly Affecting 2.5M Customers [UPDATE]

by Erin Shaak

Last Updated on May 13, 2021

View Comments

Barr v. Drizly, LLC et al.

Filed: August 7, 2020 § 1:20-cv-11492

Read Complaint

Online alcohol delivery service Drizly failed to detect a data breach for five months while customers’ private information was stolen, according to a class action.

Defendant(s)

Drizly, Inc. The Drizly Group, Inc. Drizly, LLC

Law(s)

State(s)

Massachusetts

Categories

Privacy Data Breach

Case Updates

May 13, 2021 – Settlement Website Is Live

The official settlement website, https://alcoholdeliverydatabreach.com/, is now live. Check it out for more information about the case, including FAQs, or to file your claim.

If you’ve received an email from info@alcoholdeliverydatabreach.com with a claimant code, you may enter the code here to begin filing an online claim. 

April 9, 2021 - $7.1 Million Settlement Given Preliminary OK

A $7.1 million settlement for the proposed class action detailed on this page, Barr v. Drizly LLC et al., has received preliminary approval. 

The proposed deal, which was given the initial green light by U.S. District Judge Leo T. Sorokin on March 30, aims to cover millions of U.S. residents whose data was compromised in the security incident that Drizly made public on July 28, 2020, in which an unauthorized party accessed certain personally identifiable information on the liquor delivery company’s patrons. 

Those who file a claim for a piece of the settlement can receive at least $14 in addition to a $1.99 account credit. Both amounts are contingent upon the number of consumers who file claims. At least $1.05 million, but no more than $3.15 million, in cash will go toward Drizly users, with $447,750 set aside for account credits. Drizly has also agreed to implement certain cybersecurity measures, valued at more than $2 million, over the next two years. 

ClassAction.org will update this page if and when the settlement receives final approval. The official settlement website, AlcoholDeliveryDataBreach.com, has yet to go live.  

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.

August 20, 2020 – Another Case Filed in Arizona

Drizly LLC and The Drizly Group, Inc. have been hit with another proposed class action over a data breach that reportedly compromised 2.5 million customer accounts.

Filed in Arizona, the lawsuit claims the online alcohol delivery service not only failed to implement proper security measures to prevent the breach but also took “no affirmative steps” beyond merely notifying customers to protect affected individuals from future identity theft and fraud.

The full complaint can be read here.

Online alcohol delivery service Drizly, LLC failed to detect a data breach for five months while customers’ private information was stolen, according to a proposed class action lawsuit.

Filed against Drizly, LLC and The Drizly Group, Inc., the 40-page lawsuit alleges insufficient data security measures were to blame for the breach, which the case notes may have occurred as early as February 2020.

Although Drizly, which claims to operate the world’s largest alcohol marketplace, says its customers “trust us to be part of their lives,” the company notified proposed class members in a July 2020 email that it had “recently identified some suspicious activity involving customer data” and determined through an internal investigation that “an unauthorized party appears to have obtained some of our customers’ personal information,” the suit says.

“Despite Drizly’s claims of ‘trust,’ Drizly’s deficient data security measures left its customers’ sensitive customer data vulnerable to hackers who pilfered this information and placed it for sale on the dark web on February 13, 2020, to which it appears Drizly was oblivious,” the complaint scathes.

According to the case, TechCrunch reported on July 28 that the breach was far more extensive than Drizly disclosed in its email, noting that as many as 2.5 million accounts are believed to have been compromised. Though Drizly claimed the compromised information was limited to customers’ email addresses, dates of birth, passwords, and delivery addresses, TechCrunch reportedly found after obtaining a portion of the data that customers’ phone numbers, IP addresses, and geolocation details associated with their billing addresses were also exposed to unauthorized parties.

“TechCrunch’s findings confirm that not only did Drizly allow a data breach to occur, but Drizly has failed to discover, and disclose, the full scope and extent of the Data Breach,” the complaint reads.

Although Drizly assured users that no financial information had been compromised in the breach, a screenshot captured by TechCrunch “blatantly shows the exact opposite,” the suit continues. According to the article cited in the complaint, TechCrunch discovered a February 13, 2020 post on the Dark Web in which a “well-known seller of stolen credit data” offered for sale “Fresh Hacked drizly.com Account [sic] with Valid CC attached and Order History” at a price of $14.

The post indicates hackers successfully exfiltrated customers’ credit card numbers as early as February, which exposed Drizly users to a “significant and imminent risk of future harm of identity theft and fraud,” the lawsuit asserts.

The case further claims Drizly not only failed to prevent the breach but failed to timely detect and report that customers’ information had been stolen, leaving them unable to take steps to mitigate the harm caused as a result of their data being compromised.

“Drizly failed to properly safeguard Plaintiff’s and Class members’ information or timely notify them that sensitive customer data was stolen, allowing cybercriminals to access its users’ sensitive customer data since at least February 13, 2020, when the ‘Fresh Hacked’ dump of sensitive customer data was posted on the dark web,” the complaint reads, averring that the incident would have discovered the breach “much sooner” had Drizly properly monitored its systems.

The lawsuit says Drizly has refused to provide any monitoring services or identity theft and fraud insurance, opting instead to urge customers to reset their passwords and “continue monitoring your account for any unusual activity.” The case claims the risk of identity and fraud faced by Drizly customers “will persist for years,” requiring that those affected “vigilantly monitor their financial accounts ad infinitum.”

The lawsuit looks to represent anyone in the U.S. whose sensitive customer data was compromised in the data breach made public by Drizly on July 28, 2020.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on May 13, 2021 — 12:56 PM

Erin Shaak

erin@classaction.org

Erin works primarily on ClassAction.org’s newswire, reporting on cases as they happen.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.