Online alcohol retailer Drizly and its chief executive officer agreed to data security requirements and to be assessed by an independent monitor for up to 20 years as part of a final settlement with the Federal Trade Commission over a data breach that impacted 2.5 million consumers, the FTC announced Tuesday.

The FTC had proposed the measures and filed a complaint against Drizly in October, alleging the company and CEO James Cory Rellas knew about security vulnerabilities and ignored them.

Customer emails, addresses, phone numbers, and other data were unnecessarily stored by the company on an insecure platform with gaps that allowed hackers to gain access, the FTC alleged.

The alleged negligence of Drizly, a subsidiary of Uber Technologies, and Rellas allowed the personal data of 2.5 million customers to be compromised in a 2020 data breach, according to the complaint.

The breach occurred after a Drizly executive participated in a one-day computer programming exercise on GitHub, where Drizly stored data. After the event, the company neglected to terminate the executive’s access, and hackers broke through a full two years later, per the complaint.

Under the FTC’s order, finalized after a 4-0 vote, within 60 days Drizly must destroy all unnecessary personal information it has collected and is restricted from continuing to collect and store similar information going forward. It must report to the FTC what data it destroys.

Drizly must implement a broad information security system, including security training for employees, appointing a high-level employee to oversee the security measures, and creating limits on who can access customer personal data and other measures.

It must create a written security policy, including standards and controls for enforcing compliance with the security measures, according to the order.

Drizly must hire a third party to assess whether it is in full compliance with its security program and provide the documentation to the FTC. Two assessments must be completed in 2023, and then every other year for the next 20 years.

The FTC faulted Rellas for not acting after he allegedly was alerted to the vulnerabilities of Drizly’s platform, and it imposed requirements that will follow him for a decade, including if he takes a position as an executive or owner with other companies that collect information from more than 25,000 people.

While at Drizly, Rellas has overseen the hiring of executives in nearly all aspects of the company, but he “failed to hire a senior executive responsible for the security of consumers’ personal information collected and maintained by Drizly,” according to the complaint.

“We take consumer privacy and security very seriously at Drizly and are happy to put this 2020 event behind us,” a Drizly spokesperson said in an emailed statement.

Editor’s note: This story was updated Jan. 17 to correct the FTC commissioner vote total to 4-0. The original version indicated a 4-1 vote.

Adrianne Appel writes regulatory news, policy, and trends for Compliance Week. She previously reported about policy developments for Bloomberg Law and Bloomberg Government.

Topics