Hackers could have stolen beer from the Scottish brewery and pub chain BrewDog due to a vulnerability that exposed details of more than 200,000 shareholders.
The vulnerability in the company’s mobile app was discovered by security consultancy Pen Test Partners who said that details belonging to customers and “Equity for Punks” shareholders were accessible for over 18 months.
Due to the way the mobile app authenticated users, it would have been “trivial” for any of them to access someone else’s personally identifying information.
“But, best of all, shareholders get a free beer on the three days before or after their birthday under the terms of the Equity for Punks scheme,” the consultancy said.
“One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!”
Data exposed by the bug included names, dates of birth, phone numbers, email and delivery addresses, shareholdings and more.
Pen Test Partners said that this data would be considered personally identifying information under the UK’s data protection laws.
These laws also include an obligation on companies to keep that data secure – something which the consultancy said BrewDog had failed to do with its designs.
BrewDog said it has now fixed the issue and during its audits did not discover any evidence that hackers had stolen shareholders’ data – although researchers caution that the absence of evidence is not the evidence of absence.
A spokesperson for the company said: “We were recently informed of a vulnerability in one of our apps by a third party technical security services firm, following which we immediately took the app down and resolved the issue.
“We have not identified any other instances of access via this route or personal data having been impacted in any way. There was therefore no requirement to notify users.
“We are grateful to the third party technical security services firm for alerting us to this vulnerability. We are totally committed to ensuring the security of our user’s privacy.”
“Our security protocols and vulnerability assessments are always under review and always being refined, in order that we can ensure that the risk of a cyber security incident is minimised,” they concluded.
Pen Test Partners added: “An obvious question is whether the data has been accessed by unauthorised persons.
“Whilst BrewDog say that they can’t currently see any evidence of that, we’re not quite sure how they would validate this: every request will be coming from a valid account with a valid (but identical!) bearer token.
“How therefore would they prove that the request was from the valid user and not from persons unknown?”
“It will need a very thorough forensic investigation to prove for certain that a breach hasn’t occurred,” the consultants added.
Earlier this year BrewDog CEO and co-founder James Watt apologised and vowed to “listen, learn and act” after a group of ex-employees joined together to allege a culture of fear at the company.