Scottish brewing company, BrewDog, left information of around 200,000 shareholders exposed for more than 18 months. This issue was caused by a mistake in the code of their mobile application that could allow anyone access to PII that was stored without any authentication. Names, dates of birth, email addresses, genders, telephone numbers, previously used delivery addresses, shareholder numbers, shares held, referrals, and more were all able to be accessed. A researcher by the name of Alan Monie helped BrewDog fix their application. A quote from Alan Monie states, “As far as I know, BrewDog has not alerted their customers and shareholders that their personal details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I’m left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure.” BrewDog said they carried out extensive investigations and they found that no PII was compromised, therefore they don’t need to disclose it.
BrewDog made a mistake and it left hundreds of thousands of shareholders’ information vulnerable. Organizations who are looking to avoid this happening to them should:
• Enforce Strong Authentication
• Encrypt Mobile Communications
• Patch App and Operating System Vulnerabilities
• Optimize Data Caching
These are just some of the many recommendations that will help keep mobile applications safe.