200,000 BrewDog shareholders involved in leak

Scottish beer company the BrewDog has been involved in a cybersecurity scandal, with a reported 200,000 shareholders sensitive data being leaked to the public via a vulnerability. 

The cybersecurity vulnerability occurred on the BrewDog mobile app. During the authentication process, a verification step was missed allowing for any malicious third party to gain access to a shareholder’s data via and their customer I.D. 

As reported by Sky News, this vulnerability would have first been introduced in the 2.5.5 update to the BrewDog application which was released in March 2020. With the patch for the security risk being released as a reactionary measure a few days ago, this suggests the public access to sensitive data was available for the best part of 18 months. 

Shareholder numbers, number of shares, names, phone numbers, dates of birth and delivery addresses were amongst the details publicly accessible via the exploit occurring on the app.  

The degree of sensitivity surrounding this data is of great concern and paves the way for fraud on a mass scale. Additionally, each person who was able to access the vulnerability within the app would have had access to three free beers on the days around their birthday, and this would have been easy to defraud via generating multiple QR codes using other user’s information 

Commenting upon the incident BrewDog representatives stated: 

“We were recently informed of a vulnerability in one of our apps […] we immediately took the app down and resolved the issue. We have not identified any other instances of access via this route or personal data having been impacted in any way. There was therefore no requirement to notify users.” 

Researcher Alan Monie independently tested the application for the vulnerabilities in question and provided a statement after the latest update released by BrewDog which was described on the app store as having “nothing too exciting in this release. Some updates to improve how the app gets your discount card(s).” and failed to mention the leaks. 

"The vulnerability is fixed," Monie said. "As far as I know, BrewDog has not alerted their customers and shareholders that their personal details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I'm left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure."