BrewDog has suffered from an API security flaw. The vulnerability in the company’s mobile app was discovered by security consultancy Pen Test Partners. The analysts found details belonging to the alcoholic drinks company’s customers and its so-called “Equity for Punks” shareholders were accessible for a period of over 18 months.
The impacted data included names, dates of birth, email addresses, gender, delivery addresses, phone numbers, shareholder numbers, bar discount details and IDs, referrals made and beer buying history.
Security expert Nathanael Coffing, CSO and Cofounder of Cloudenity, tells Digital Journal that such flaws represent a worrying turn of events within the business community.
Coffing begins by setting the scene of this latest cybersecurity incident: “The lack of properly configured identity and authorization on BrewDog’s application programming interface (API) ultimately left the personally identifiable information (PII) of 200,000 shareholders publicly exposed online for anyone to access.”
This could mean trouble brewing, depending upon what happens with the data. Coffing warns: “If this sensitive data falls in the wrong hands, victims could be at risk of identity theft, fraud or highly targeted phishing schemes.”
In terms of the pertinent lessons for business, Coffing finds: “There’s a significant amount of risk associated with APIs due to the massive amounts of data they collect and exchange with other machines on a daily basis, and companies often struggle to keep them secure.”
The longer-term trends do not bode well either, Coffing finds: “As Gartner forecasts that APIs will be the most frequent attack vector by 2022.” As a result, application leaders independently must design and execute an effective API security strategy to protect their APIs.
Therefore, the security expert recommends: “Organizations must ensure all their APIs are securely operated within automated identity, authorization, consent and governance guardrails.”
There are other measures as well: “Additionally, equipping APIs with context-based, granular authorization and following a Zero Trust API authorization approach is critical to prevent data leakage and breaches.”
Based on this, Coffing is confident some of the security risks can be eliminated: “With these necessary security guardrails and consent controls, organizations can confidently deliver applications and services while maintaining data security.”
