fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

BrewDog Exposed Data For Over 200,000 Shareholders and Customers

BrewDog Exposed Data For Over 200,000 Shareholders and Customers

BrewDog, the Scottish brewery and pub chain famous for its crowd-ownership model and the tasty IPAs, has irreversibly exposed the details of 200,000 of its shareholders and customers. 

The exposure lasted for over 18 months and the point of the leak was the firm’s mobile app, which gives the ‘Equity Punks’ community access to information, discounts at bars, and more. 

As detailed in a PenTestPartners report, the problem lies in the app’s API, and more specifically, its token-based authentication system. The security blunder comes from the fact that these tokens were hard-coded into the mobile application instead of being transmitted to it following a successful user authentication event. 

Also Read: How to Choose a Penetration Testing Vendor

As such, anyone was free to append any customer ID to the end of the API endpoint URL, and access sensitive PII (personally identifiable information) for that customer. 

Details that could be exposed in this simple way include the following: 

  • Name
  • Date of Birth
  • Email address
  • Gender
  • All previously used delivery addresses
  • Telephone number
  • Number of shares held
  • Shareholder number
  • Bar discount amount
  • Bar discount ID – used to create the QR code
  • Number of referrals
  • Type of beer previously purchased 
App user details exposed as a result of abusing the API
App user details exposed as a result of abusing the API. – PenTestPartners

While these IDs aren’t sequential, they do follow a system that would provide something better to try out instead of just entering random numbers. 

Apart from the fact that anyone could access the sensitive details of other app users, shareholders and customers of BrewDog, the implications of this finding also hit the company itself. An abuser of the flaw could get endless free beer and discounts by generating QR codes from “loaded” accounts. 

The flaw existed since March 2020, when BrewDog started using hard-coded tokens with app version 2.5.5. Unfortunately BrewDog’s team missed this flaw for an extended period of time and failed to secure their token system on the multiple subsequent releases that followed. 

Also Read: This Educator Aims to Make Good Cyber Hygiene a Household Practice

Eventually, the issue was patched with version 2.5.13 which came out on September 27, 2021. BrewDog though chose not to disclose anything important in the changelog notice of that release. 

Release notes don't disclose addressing a massive data leak
Release notes don’t disclose addressing a massive data leak risk. – PenTestPartners

The researcher reports that BrewDog downplayed the importance of his findings, and made claims of seeing no evidence of a data breach repeatedly. From a practical perspective, even if the company was actively looking for signs of a breach, there wouldn’t be any due to the silent way this flaw could be exploited. 

To our knowledge, BrewDog has not informed its shareholders and customers of the possibility of their data having been breached. We have reached out to them for a comment but we have not heard back yet. 

Due to the nature of the exposed data, the company will also have to inform UK’s data protection officer, as PII falls under GDPR which is still applicable in the country.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us