At a time when data privacy concerns are top of mind for consumers and regulators alike, a new security issue has emerged involving the use of digital wristbands at a Carlsberg Group event in Copenhagen. Intended to enhance visitor experience by sharing photos and videos from the event, these wristbands instead became a gateway to exposing personal information of attendees — and the company’s response to the problem has sparked controversy.

What Happened?

Carlsberg, the Danish multinational brewer known for its iconic beer brands, handed out interactive wristbands at a branded exhibition that let visitors view photos and videos captured during the event. However, a security researcher discovered the system protecting these “memories” was fundamentally flawed.

Each wristband included a QR code that linked to a personalized web page. That page was protected only by a simple 7-digit numeric identifier, with no strong authentication or protections against brute-force attacks. By running a script on a laptop, the researcher was able to systematically guess valid wristband IDs — revealing the associated visitor’s full name, images, and videos.

Security testing further showed that because of how the wristband ID was structured, there were millions of possible combinations and only a fraction needed to be tried before discovering valid ones. With basic tools like Burp Suite, the researcher could bruteforce hundreds of valid IDs in hours and could theoretically enumerate all valid ones over a couple of days.

Responsible Disclosure — But No Effective Fix

After uncovering the vulnerability, the researcher — identified as Alan Monie from UK-based Pen Test Partners — filed a report via Carlsberg’s official bug disclosure channel, which is managed by a third-party platform. The issue was assessed as high severity (CVSS score of 7.5) and should have triggered a coordinated response from the company.

Initial acknowledgment came, but communication soon stalled. Carlsberg missed multiple milestones in its own vulnerability response timeline, and over the ensuing months provided no meaningful updates or confirmations that the flaw had been addressed. In later retesting, the researcher confirmed that even with claimed mitigations, the system was still susceptible to brute-force attacks.

This prolonged silence and lack of action ultimately pushed the researcher to publicly disclose the findings, more than 150 days after the original report — a period far beyond the accepted industry standard for responsible disclosure.

Complicating matters, the disclosure platform told the researcher that they were not allowed to publish details of the flaw. Pen Test Partners disagreed, noting that keeping the issue hidden while it remains unresolved defeats the purpose of responsible disclosure.

What Data Was at Risk?

Although the exposed information — names, photos, and event videos — might seem less sensitive than financial or login data, it still qualifies as personally identifiable information (PII) under Europe’s General Data Protection Regulation (GDPR). GDPR places strict obligations on organizations collecting and processing personal data, even if it is only being used in the context of a promotional event.

Critics argue that Carlsberg’s handling of the discovery raises questions about its commitment to data security. The ability for a stranger to access personal media and full names with little more than a numeric guess is exactly the sort of risk regulators aim to prevent.

Why It Matters

This incident underscores several broader issues in cybersecurity today:

• Security by Obscurity Is Not Enough
  Simply hiding data behind a short numeric ID without authentication invites misuse — even in non-critical applications like event photo sharing.
• Responsible Disclosure Must Be Meaningful
  A process that acknowledges reports but fails to act erodes trust between security researchers and the organizations they’re trying to help.
• Regulatory Risks Are Real
  Organisations that process personal data in the EU must ensure they meet GDPR requirements and appropriately protect that data or risk enforcement actions.

Final Thoughts

In an era where privacy is a major concern, even seemingly benign uses of digital technology need robust security. The Carlsberg wristband case serves as a cautionary tale: innovative customer experiences must be built on secure foundations — or they risk exposing the very people they’re meant to engage.