Full Report
Researcher shows how anyone can access Copenhagen experience attendees' names, videos Exclusive The Carlsberg exhibition in Copenhagen offers a bunch of fun activities, like blending your own beer, and the Danish brewer lets you relive those memories by making images available to download after the tour is over.…
Analysis Summary
# Incident Report: Carlsberg Exhibition Attendee Data Disclosure via Brute-Forceable Wristbands
## Executive Summary
A security researcher discovered that attendee data, including names and images, from the Carlsberg Experience exhibition in Copenhagen was accessible due to insecure handling of wristband identification codes used to retrieve visitor memories. The scheme allowed for automated brute-forcing of up to 1 million unique IDs in just two hours, exposing the personal information of approximately 13,000 regular monthly visitors. Carlsberg's remediation attempt with rate limiting was ineffective, leaving the vulnerability active at the time of public disclosure.
## Incident Details
- Discovery Date: August 2025 (Date of researcher's visit and initial testing)
- Incident Date: August 2025 – Present (Ongoing vulnerability exploitation window)
- Affected Organization: Carlsberg (Specifically the Copenhagen Experience exhibition)
- Sector: Tourism/Food & Beverage (Exhibition Services)
- Geography: Copenhagen, Denmark
## Timeline of Events
### Initial Access
- **Date/Time:** August 2025.
- **Vector:** Direct interaction with a customer-facing web interface.
- **Details:** Visitors enter their 30-day expiring wristband ID on the Carlsberg website to download photos taken during their tour. The researcher (Ken Munro) identified that the structure of these wristband IDs made them susceptible to automated guessing.
### Lateral Movement
- Not applicable; the vulnerability allowed direct access to specific records via predictable inputs without requiring internal network movement.
### Data Exfiltration/Impact
- **Data Accessed:** Attendee names, images, and videos associated with the wristband IDs.
- **Volume:** The researcher successfully tested 1 million IDs in two hours, estimating around 13,000 unique active users (based on 500 validated IDs out of 1 million tested). Potentially all visitor data associated with active wristbands could be exfiltrated.
### Detection & Response
- **Detection:** Discovered independently by security researcher Ken Munro (Pen Test Partners) following his personal visit in August 2025.
- **Response Actions:**
- **Aug 19, 2025:** Vulnerability reported to Carlsberg via Zerocopter under a Vulnerability Disclosure Policy (VDP).
- **Nov 11, 2025:** Carlsberg provided an initial response, claiming the issue was addressed by applying rate limitations and requesting retesting.
- **Post-Nov 11:** Researcher retested and confirmed brute-forcing was still possible, reporting this failure back to Carlsberg, which received no further response.
- **Dec 2025:** Researcher sought clarification via Zerocopter regarding disclosure timelines but was advised patience was required. (Issue remained unresolved).
- **Jan 16, 2026:** Public disclosure by *The Register*.
## Attack Methodology
- **Initial Access:** Predictable sequential/alphanumeric identifier construction used for physical access tokens (wristbands).
- **Persistence:** Not applicable (stateless access to records).
- **Privilege Escalation:** Not applicable (exploited a design flaw in authorization/identifier handling, not elevated privileges).
- **Defense Evasion:** The initial rate limiting implemented by Carlsberg was either ineffective or applied incorrectly (e.g., not on the API endpoint), allowing rapid automated testing.
- **Credential Access:** Not applicable (no passwords compromised).
- **Discovery:** Enumeration of the wristband ID space (26 million combinations) and correlation of IDs to retrieved personal data (names/images).
- **Lateral Movement:** Not applicable.
- **Collection:** Automated scripting (using Burp Suite) to systematically process millions of potential wristband IDs converted to hex strings.
- **Exfiltration:** Downloading retrieved media files (images/videos) upon successful ID validation.
- **Impact:** Leak of Personal Identifiable Information (PII) and potentially sensitive imagery/video data, violating data protection regulations (GDPR compliance concerns noted).
## Impact Assessment
- **Financial:** Not disclosed. Potential regulatory fines under GDPR if investigated.
- **Data Breach:** Names, personal images, and videos of hundreds/thousands of exhibition attendees.
- **Operational:** Minor immediate operational impact on the exhibition platform, but significant reputational risk due to the nature of the exposed data.
- **Reputational:** Significant negative press, highlighted by the sarcastic framing of the security posture ("Probably not the best security in the world").
## Indicators of Compromise
- **Network Indicators:** High volume of sequential or patterned requests originating from single or clustered sources hitting the image retrieval API endpoint (Defanged example: `[API_ENDPOINT]/retrieve?id=[sequential_hex_string]`).
- **File Indicators:** N/A (Data was downloaded, not malware dropped).
- **Behavioral Indicators:** Rapid, automated iteration across a predictable ID space exceeding normal user interaction patterns.
## Response Actions
- **Containment measures:** Carlsberg allegedly deployed rate limitations, though effectiveness was disputed by the researcher.
- **Eradication steps:** Not fully confirmed if effective eradication occurred before public disclosure, as retesting proved the vulnerability persisted.
- **Recovery actions:** Not documented, but likely involved re-engineering the wristband ID generation and/or access control mechanism to enforce true uniqueness and non-predictability.
## Lessons Learned
- The structure and generation of unique identifiers used for customer interaction must be complex enough (e.g., high entropy, non-sequential) to resist automated enumeration and brute-forcing.
- Implementing security controls (like rate limiting) must be thoroughly verified post-deployment by independent parties to ensure they effectively mitigate the identified attack vector.
- Vendor/Security partners in the responsible disclosure process must adhere to transparent and timely communication, as deliberately slow communication can be abused to circumvent public commitment timelines.
## Recommendations
- Immediately cease using sequential or easily guessable identifiers for sensitive data retrieval. Transition to cryptographically secure, non-sequential identifiers (e.g., UUIDs).
- Implement strict, granular rate limiting and anomaly detection on all customer-facing input fields, especially those querying user data.
- Establish and adhere to strict Service Level Agreements (SLAs) for vulnerability remediation timelines, communicated clearly to researchers.