Cheers and Fears: Inside Carlsberg’s Wristband Data Leak and the Silencing of Security Researchers

It was supposed to be a celebration - a branded event in Copenhagen where Carlsberg Group, the global beer giant, handed out clever wristbands to guests. But beneath the fun lay a ticking privacy time bomb. When UK-based cybersecurity researcher Alan Monie scanned his own wristband, he stumbled onto a glaring vulnerability: anyone with a laptop and a little know-how could access hundreds of other visitors’ names, photos, and videos. What followed was a months-long saga of stonewalling, regulatory risk, and a corporate attempt to hush up the truth.

Fast Facts

• Carlsberg event wristbands linked to personalized media pages via QR codes and 7-digit numeric IDs.
• No authentication or brute-force protection allowed easy access to hundreds of visitors’ personal photos, videos, and names.
• The vulnerability was reported through Carlsberg’s official disclosure channel and flagged as high severity (CVSS 7.5).
• Over 150 days passed without a fix or meaningful response; the researcher was told not to publish the findings.
• Exposed information qualifies as PII under GDPR, raising potential legal and regulatory concerns.

The Anatomy of an Avoidable Breach

The “memories” wristbands were designed for delight: scan the QR code, relive your night through a personal gallery. But the security was laughably weak. Each page was guarded only by a 7-digit number - no password, no user verification, and no defense against automated scripts. Within hours, Monie’s basic script had harvested hundreds of attendees’ pages, complete with full names and media. For a corporation operating across Europe, this was more than a technical oversight; it was a GDPR violation waiting to happen.

Monie acted responsibly, reporting the flaw via Carlsberg’s third-party platform, Zerocopter. The initial response seemed promising: the risk was acknowledged, given a high severity rating, and flagged for urgent remediation. But then, radio silence. No confirmations, no updates, and - crucially - no evidence the issue was fixed. After five months and a retest showing the vulnerability still open, the story took a darker turn: Zerocopter informed Monie that publishing the details was “not allowed.”

Pen Test Partners, Monie’s firm, refused to be silenced. “Responsible disclosure” isn’t just an industry buzzword - it’s a cornerstone of digital safety. Their decision to go public, after extensive delays and corporate stonewalling, highlights a recurring tension: companies eager to reap the benefits of digital innovation, but slow to own up to their mistakes.

The GDPR’s reach is clear: any company that collects personal data in the EU must protect it, even at a beer festival. Carlsberg’s inaction and attempts to stifle disclosure could invite regulatory scrutiny, not to mention a loss of public trust. As of publication, Carlsberg has yet to issue a statement - or an apology - to those whose data was exposed.

Conclusion: Lessons in Transparency

This incident is a stark reminder: flashy tech and fun experiences mean little if users’ privacy is an afterthought. For Carlsberg, the real hangover may come not from the event, but from how it handled the aftermath - by ignoring the messenger and leaving its guests exposed.

WIKICROOK

• QR Code: A QR Code is a two-dimensional barcode that stores data like links or text, easily scanned by devices but can also hide malicious instructions.
• PII (Personally Identifiable Information): PII is any information that can identify a person, like a name, address, or social security number, and must be protected to ensure privacy.
• Brute: A brute-force attack is an automated hacking method where attackers try many passwords or keys until they find the correct one to gain unauthorized access.
• CVSS (Common Vulnerability Scoring System): CVSS is a standard system for rating the severity of security vulnerabilities, assigning scores from 0 (low) to 10 (critical) to guide response priorities.
• GDPR (General Data Protection Regulation): GDPR is a strict EU law that gives people control over their personal data and sets rules for organizations handling such information.