BrewDog allegedly leaked the personal identifying information (PII) of around 200,000 shareholders for the better part of 18 months, according to experts. BrewDog "declined to inform their shareholders and asked not to be named" in the investigation that revealed the system vulnerabilities, according to PenTestPartners.
The Scottish brewery incorporated a hard-coded Bearer authentication token associated with API endpoints targeted for BrewDog's mobile applications, according to the cybersecurity company.
These tokens were delivered, however, this verification step was skipped because it was hardcoded to be activated after a user entered their credentials, providing access to an endpoint.
Members of PenTestPartners, who also happened to be BrewDog stockholders, added one another's customer IDs to API endpoint URLs. During testing, they discovered that without an appropriate identification issue, they could access the PII of Equity for Punks stockholders.
Identities, birth dates, email addresses, gender identities, contact information, prior delivery addresses, shareholder numbers, shares owned, referrals, and other information were all available in the leak. The customer IDs, however, were not regarded as "sequential."
"An attacker could brute force the customer IDs and download the entire database of customers," the researchers said. "Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!"
Hard-coding authentication tokens, according to PenTestPartners, are a failure to fulfill these criteria since some of the PII exposed falls within the GDPR security banner.
The bug has been there since March 2020, since BrewDog's app version 2.5.5 introduced hard-coded tokens. However, BrewDog's team was unaware of the vulnerability for a long time and failed to protect their token system in later releases.
The problem was eventually resolved in version 2.5.13, which has been released on September 27, 2021. BrewDog, on the other hand, elected not to reveal anything significant in the release's changelog announcement.
"The vulnerability is fixed," the researcher says. "As far as I know, BrewDog has not alerted their customers and shareholders that their details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I'm left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure."
BrewDog also told that: "BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO."
However, the corporation will also have to notify the UK's data protection officer due to the type of personal information exposed, as PII falls under GDPR, which is still in effect in the country.