More than 200,000 BrewDog shareholders and customers had their details exposed for over 18 months, according to a security consulting and testing services firm.
It comes as the beer maker prepares for an initial public offering, which would require it to step up its data security.
Details such as names, date of birth, email address, used delivery addresses and phone numbers were able to be retrieved from those part of their ‘Equity for Punks’ scheme, Pen Test Partners (PTP) found.
It was due to each mobile app user being given the same API Bearer Token, which PTP said rendered its authorisation request “useless”.
The security testing firm added: “It’s public knowledge that BrewDog are considering an IPO. We are concerned for future investors if BrewDog’s wider approach to security and disclosure is this weak.”
Pen Test Partners said the data available would be considered personally identifying information (PII) under the UK’s data protection laws.
Former Head of Digital Forensics at Dorset Police and now Cybersecurity Specialist at global cybersecurity firm, ESET, Jake Moore said: “Personal identifiable information must be stored safely and securely and companies must do their best to protect it from attacks or being easily leaked.
“The amount of PII stored on websites is often far more than we tend to realise and the worry is that in the wrong hands it can have a very damaging affect on people.”
City A.M. has contacted BrewDog for comment.