28 October 2021

BrewDog: hackers could have stolen beer and 200,000 shareholders’ details

United Kingdom | Digitalisation’s boons and risks. A flaw in BrewDog’s mobile app could have exposed personal information of more than 200,000 Equity for Punks shareholders and customers – as well as letting hackers steal beer, if they so desired. The incident was reported on several Geek websites.

Researchers at cyber security consultancy firm PenTest Partners, who happen to be among BrewDog’s shareholders, discovered the vulnerability. Their website www.pentestpartners.com said on 8 October 2021 that the data had been accessible for more than 18 months. It included names, dates of birth, email and delivery addresses, contact numbers, shareholdings and more.

PenTest’s researchers were quoted as saying: “An attacker could brute force the customer IDs and download the entire database of customers. Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!”

Under the terms of the Equity for Punks scheme, shareholders get a free beer on the three days before or after their birthday. “One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog,” they said.

The problem proved hard to fix

The problem arose in March 2020 with the release of the app. BrewDog fixed the issue last month, but it took four failed attempts. According to PenTest Partners, BrewDog neglected to notify its users, even after the glitch was remedied.

BrewDog told Sky News that it found no evidence to suggest that hackers had stolen shareholder data. “There was, therefore, no requirement to notify users,” it said. The company also claimed that it was not required to report the security incident to the Information Commissioner's Office (ICO), as users' data was not put at risk.

PenTest remains unconvinced. “Whilst BrewDog say that they can’t currently see any evidence of that, we’re not quite sure how they would validate this: every request will be coming from a valid account with a valid (but identical!) bearer token. How therefore would they prove that the request was from the valid user and not from persons unknown?”

“BrewDog will need a very thorough forensic investigation to prove for certain that a breach hasn’t occurred.”

Brauwelt International Newsletter

Newsletter archive and information

Mandatory field