Hackers could have stolen beer from Scottish brewery and pub chain BrewDog due to a vulnerability that exposed details of more than 200,000 shareholders.
The vulnerability of the company’s mobile application was discovered by security consulting firm Pen Test Partners, which said details belonging to clients and shareholders of “Equity for Punks” were available for more than 18 months .
Due to the way the mobile app authenticated users, it would have been “trivial” for any of them to access someone else’s personal identification information.
“But, best of all, shareholders receive a free beer three days before or after their birthdays as part of the Equity for Punks program,” the consulting firm said.
“Just log into an account with the required date of birth, generate the QR code and the beers are on BrewDog! “
The data exposed by the bug included names, dates of birth, phone numbers, email and shipping addresses, entries and more.
Pen Test Partners has stated that this data would be considered personally identifiable information under UK data protection laws.
These laws also include an obligation for companies to protect this data – something the consulting firm said BrewDog had failed to do with its designs.
BrewDog said it has now fixed the issue and that during its audits it found no evidence that hackers stole shareholder data – although researchers warn that the lack of evidence does not is not proof of the absence.
A company spokesperson said, “We were recently made aware of a vulnerability in one of our applications by a third-party technical security services company, following which we immediately removed the application and solved the problem.
“We have not identified any other instances of access via this route or of personal data having been impacted in any way. There was therefore no obligation to notify users.
“We are grateful to the third-party technical security services company for alerting us to this vulnerability. We are fully committed to ensuring the security of the privacy of our users. “
“Our security protocols and vulnerability assessments are always under review and refinement, so that we can ensure that the risk of a cybersecurity incident is minimized,” they concluded.
Pen Test Partners added: “An obvious question is whether the data has been viewed by unauthorized persons.
“While BrewDog says they currently can’t see any evidence of this, we don’t really know how they would validate this: each request will come from a valid account with a valid (but identical!) Bearer token.
“How then would they prove that the request came from the valid user and not from unknown people?”
“It will take a very thorough forensic investigation to prove with certainty that a violation did not take place,” the consultants added.
Earlier this year, BrewDog CEO and co-founder James Watt apologized and vowed to “listen, learn and act” after a group of former employees gathered to allege a culture of fear in the company.