The Federal Trade Commission (FTC) announced a tentative settlement with online alcohol delivery platform Drizly and its chief executive officer regarding a data breach affecting 2.5 million consumers and the alleged lax security that allowed it to happen.

The proposed order, released Monday, will be printed in the Federal Register and subjected to a 30-day comment period, after which the FTC may decide to accept it and make it final or withdraw from it.

The agency highlighted the inclusion of Drizly CEO James Cory Rellas in its proposed order for his role in presiding over the company’s alleged security failures.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release. “CEOs who take shortcuts on security should take note.”

Drizly is a subsidiary of Uber Technologies, where a former chief security officer was found guilty earlier this month of covering up a data breach and misleading the FTC in a separate case.

Drizly and Rellas “engaged in a number of unreasonable security practices” that allowed hackers to download the personal information of millions of consumers the company stored, the FTC alleged in its analysis of its proposed consent order. The breach occurred in 2020, when an unauthorized party accessed an employee GitHub account and took a series of steps to eventually steal customer data.

The FTC alleged Drizly and Rellas were aware of problems with the security of customer data regarding GitHub after a security incident involving the platform in 2018.

Rellas and the company also made false statements by saying Drizly used appropriate safeguards to protect consumers’ personal information, the agency alleged.

Under the proposed order, Drizly and Rellas would be required to destroy and not store any personal data that isn’t necessary for the company to provide products or services to consumers. It would have to report to the agency regarding the data it has destroyed.

If it collects data, Drizly would have to explain on its website why it is necessary.

Drizly would have to create a comprehensive data security program with safeguards to protect against future incidents. The program would have to include training for employees, putting in place controls about which employees can access customer data, and requiring multi-factor authentication by employees when accessing consumer data.

Rellas would have to create an information security program if he becomes majority owner, CEO, or a senior security officer at any other company with more than 25,000 consumers, the FTC said.

“In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the commission’s proposed order will follow Rellas even if he leaves Drizly,” the agency said.

The FTC voted 4-0 to issue the tentative consent agreement. Commissioner Christine Wilson dissented, in part because she didn’t believe Rellas should be included in the enforcement action.

“CEOs have hundreds of issues and numerous regulatory obligations to navigate,” Wilson said. “Companies, not federal regulators, are better positioned to evaluate what risks require the regular attention of a CEO. And when companies err in making those assessments, the government will hold them accountable.”

Drizly didn’t reply to a request for comment.