More than 200,000 BrewDog shareholders and customers had their details exposed for over 18 months, according to a security consulting and testing services firm.
It comes as the beer maker prepares for an initial public offering, which would require it to step up its data security.
Details such as names, date of birth, email addresses, used delivery addresses and phone numbers were able to be retrieved from those part of their ‘Equity for Punks’ scheme, Pen Test Partners (PTP) found.
It was due to each mobile app user being able to authorise their requests with the exact same token, which had been issued by the app, which PTP said rendered its authorisation process “useless”.
The security testing firm added: “It’s public knowledge that BrewDog are considering an IPO. We are concerned for future investors if BrewDog’s wider approach to security and disclosure is this weak.”
Pen Test Partners said the data available would be considered personally identifying information (PII) under the UK’s data protection laws.
Former Head of Digital Forensics at Dorset Police and now Cybersecurity Specialist at global cybersecurity firm, ESET, Jake Moore said: “Personal identifiable information must be stored safely and securely and companies must do their best to protect it from attacks or being easily leaked.
“The amount of PII stored on websites is often far more than we tend to realise and the worry is that in the wrong hands it can have a very damaging affect on people.”
A spokesperson for BrewDog said: “We were recently informed of a vulnerability in one of our apps by a third party technical security services firm, following which we immediately took the app down and resolved the issue.
“We have not identified any other instances of access via this route or personal data having been impacted in any way. There was therefore no requirement to notify users.”
The spokesperson added that the company is “grateful to the third party technical security services firm for alerting” the issue.
“We are totally committed to ensuring the security of our user’s privacy. Our security protocols and vulnerability assessments are always under review and always being refined, in order that we can ensure that the risk of a cyber security incident is minimised.”