Carlsberg Event Wristband Leaked PII, Researcher Told Not to Disclose

A poorly secured wristband system used at a Carlsberg exhibition allowed access to visitor photos, videos, and full names. Attempts to report the issue were ignored for months.

Carlsberg Group, a Danish multinational brewer, is in the news for unexpected reasons after a cybersecurity researcher uncovered a vulnerability in wristbands handed out during a branded exhibition in Copenhagen. The wristbands, designed to let attendees access media from the event, exposed personal data through a simple numeric identifier, with no proper authentication or brute-force protection.

Each wristband included a QR code linking to a personalized “memories” page. But the only thing protecting each visitor’s page was a 7-digit numeric ID. A basic script running on a single laptop was able to find hundreds of valid IDs quickly, revealing photos, videos, and the full names of visitors.

The researcher behind the discovery, Alan Monie of UK-based Pen Test Partners (PTP), submitted ...