BrewDog exposes data of 200,000 customers and shareholders

Company then tried to downplay the incident, security researchers allege

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

BrewDog, one of the world’s largest craft beer brewers, has exposed personally identifiable information (PII) belonging to more than 200,000 of its shareholders and customers, according tocybersecurityresearchers.

Cybersecurity consulting firm PenTest Partners discovered that a flaw in the official BrewDog app, which persisted for more than 18 months, made it easy for anyone to access the PII of other users.

In its detailed report, PenTest Partners notes that the mobile app doled out the same hard coded API Bearer Token, which effectively rendered request authorization useless.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“It was therefore trivial for any user to access any other user’s PII, shareholding, bar discount, and more,”sharethe researchers.

The researchers say that, thanks to the flaw, any user could append the customerID of another user to the API endpoint URL to extract their PII and other details.

In addition to being damaging to the user, the flaw could’ve also been used to adversely affect the company since the leaked details could’ve been used to generateQR codesto get discounted and even free beers.

BrewDog started using hard-coded tokens with v2.5.5 of its app, launched in March 2020, before finally patching the flaw in v2.5.13 release in September 2021.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Lack of alerts?

Worryingly, the company decided not to reveal the vulnerability to its users, even after it was fixed, going as far as to claim that there wasn’t anything “too exciting in this release”.

Furthermore, PenTesting Partners says that, in its correspondence with the company, BrewDog claimed it found no evidence of the flaw being abused.

“We were recently informed of a vulnerability in one of our apps by a third party technical security services firm, following which we immediately took the app down and resolved the issue,” said the firm in a statement.

“We have not identified any other instances of access via this route or personal data having been impacted in any way. There was therefore no requirement to notify users.”

However, the researchers suggest that the nature of the flaw means its abuse wouldn’t have been apparent in the logs, making identifying misuse virtually impossible.

While the company had asked the researchers not to name them in its disclosure, BleepingComputer contends that BrewDog will be forced to inform the UK’s data protection officer, since PII falls under the purview of the General Data Protection Regulation(GDPR).

However, it appears the company disagrees. In a private forum post seen byTechRadar Pro, the company told shareholders it is under no obligation to report the incident to the Information Commissioner’s Office (ICO), as per the advice of an external expert.

“The ICO is very clear on this,” the company wrote. “We have to notify when users' data has been put at risk. As this was a vulnerability report, and the only personal data that was accessed was that of the third party conducting the assessment, there is no requirement to notify.”

BrewDog also took steps to prepare shareholders for a backlash that may arise as a result of the bug discovery.

“Vulnerability disclosure is a key part of the cybersecurity landscape and is a common occurrence. Many businesses invite this practice and offer bounties to those who find issues. Unfortunately, following the negative press earlier this year, this occurrence may be viewed publicly through a different lens.”

TechRadar Prohas contacted BrewDog for comment.

Update:BrewDog has since provided us with the following statement:

“We are grateful to the third party technical security services firm for alerting us to this vulnerability. We are totally committed to ensuring the security of our user’s privacy. Our security protocols and vulnerability assessments are always under review and always being refined, in order that we can ensure that the risk of a cyber security incident is minimized.”

ViaBleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well