Posted on October 9, 2021 at 4:47 PM
Recent research has stated that BrewDog has exposed the personal identifiable information (PII) of around 200,000 shareholders. This data was exposed for a period of one and a half years.
This breach has exposed the situation that many businesses and users are in when they give out their personal details. Threat actors have advanced the tactics they use to attack businesses. A wide range of information is left exposed when the right cybersecurity systems are not exposed.
BrewDog Failed to Offer Extra Protection to Users
A recent report by PenTestPartners stated that BrewDog failed to act responsibly and inform shareholders that their data had been exposed. Moreover, the firm also urged the firm to not mention the firm’s name in the research that depicted a flaw in the security systems.
A report published by the security firm on October 8 stated that BrewDog used a Bearer authentication token that was hardcoded. The cybersecurity firm also noted that the token was linked to API endpoints later used in the Scottish brewer’s mobile applications.
These authentication tokens were returned, but they failed to serve their purpose in protecting user credentials. Instead of being triggered when a user has already issued their credentials to allow access to an endpoint, these credentials were hardcoded, and they missed major verification steps.
The research further notes that some of the shareholders who had been affected were members of PenTestPartners. These members appended their customer IDs to each other at the end of API endpoint URLs to conduct specific tests. These tests revealed that these members could access the PII of Equity for shareholders without dealing with a complex authentication process.
Some of the data that could be accessed due to this weakness includes the names, gender, dates of birth, email addresses, telephone numbers, delivery addresses, the number of shareholders, the amount of shared held, referrals and more details. Nevertheless, the IDs of customers were not deemed ‘sequential.’
In the report, the researchers stated that “An attacker could brute force the customer IDs and download the entire database of customers. Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes.”
In addition, PenTestPartners stated that some of the exposed PII fell under the category of GDPR protection banner. Furthermore, the process of hard-coding authentication tokens makes it even harder for these tokens to meet the required standards.
Security Weakness attributed to Unresolved Patch
The research also stated that once the older versions of the BrewDog app were assessed, the weakness was introduced in version 2.5.5, released in March 2020. Furthermore, this patch was not resolved for around one and a half years.
After PenTestPartners revealed these findings, a cybersecurity researcher known as Alan Monie tested six different builds. The resulting research showed that the issue was fixed after four attempts, and it has been patched in version 2.5.13 released to the public on September 27.
Nevertheless, the update on this latest version does not mention that it was a patch to a weakness. Nevertheless, the researcher noted that the vulnerability was fixed.
“As far as I know, BrewDog has not alerted their customers and shareholders that their personal details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I’m left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure,” the research added.
On the other hand, ZDNet has received a response from BrewDog stated that the company was alerted about a vulnerability in one of their apps. According to the brewer, their security team took down the app and resolved the matter.
“We have not identified any other instances of access via this route or personal data having been impacted in any way. There was, therefore, no requirement to notify users,” the BrewDog response added.
BrewDog also added that it appreciated the efforts of the third-party cybersecurity firm for revealing this vulnerability. It also reassured customers of its commitment to user privacy and stated that its cybersecurity infrastructure was being reviewed to ensure that exposure to cybersecurity crimes was minimal.
“BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO,” BrewDog added.