The personal information of thousands of beer drinkers was left exposed due to the Wi-Fi provider. Brewhouse & Kitchen is a small chain of pubs across UK with 23 locations including London, Nottingham, Chester, Cardiff and Bristol.
The customers while attempting to access the free Wi-Fi were asked to provide their names, emails, date of birth, phone numbers and other personal details.
Oliver Hough, an independent security researcher came across a spreadsheet file with more than 17,000 such records on an open directory hosted by Brewhouse’s Wi-Fi provider, Focus Group.
He says that while he was checking for open directories, he found them as the server was indexed on the Shodan search engine. Shodan is a search engine for internet connected devices useful for researchers looking for anything that shouldn’t be online.
The Brewhouse database included which pub the users logged into and when and also whether the customer wanted to be added to marketing lists. The researcher states that Phone numbers and email addresses could be used in scams or phishing campaigns while details such as date of birth, device type etc. can be used to add legitimacy to a scam.
However, there is no evidence showing whether hackers have downloaded the data. It was kept exposed online for anyone with the technical know-how to access.
Hough contacted the Brewhouse and the directory was removed from open access within five days. The companies have contacted the Information Commissioner’s Office (ICO) to report the incident.
Vicki Rishbeth director of Focus Group said that they were made aware of a possible breach of Brewhouse & Kitchen’s data and are in the process of notifying the ICO by following the GDPR policy.
Brewhouse & Kitchen stated in a statement that they have worked with Focus Group to identify the source of the breach and stopped the leak. They confirmed that all compromised records had been deleted and they are working to contact those affected.