Security vulnerabilities in Carlsberg's exhibition wristbands exposed visitor names and images, demonstrating inadequate GDPR safeguards despite researcher warnings.
A security vulnerability in Carlsberg's visitor wristband system allowed unauthorized access to customer data at its Copenhagen exhibition center, constituting a clear violation of General Data Protection Regulation (GDPR) requirements. The flaw, discovered by Pen Test Partners researcher Ken Munro in August 2025, enabled brute-force attacks on wristband IDs used to access visitor photos and videos. This incident illustrates critical failures in implementing GDPR-mandated security measures.
Visitors to The Carlsberg Experience receive wristbands containing alphanumeric codes that grant access to personal photos taken during brewery tours. As Munro discovered, these IDs followed a predictable pattern allowing 26 million possible combinations – insufficient complexity for sensitive personal data. Using Burp Suite software, Munro demonstrated that a single laptop could brute-force 1 million IDs within two hours, potentially accessing all valid IDs within 52 hours.
The compromised data included visitor names and multimedia content captured during exhibition activities – precisely the category of personal information protected under GDPR Article 32. This regulation requires organizations processing EU citizen data to implement "appropriate technical and organizational measures" ensuring security commensurate with risk. Specifically, GDPR mandates:
- Prevention of unauthorized access to personal data
- Protection against brute-force attacks through rate limiting
- Regular security testing and vulnerability assessments
- Prompt remediation of identified weaknesses
Carlsberg's response timeline reveals significant compliance process failures:
- August 19, 2025: Vulnerability reported via Zerocopter platform
- November 11, 2025: First response from Carlsberg (86 days later)
- Post-remediation: Rate limiting implemented but proved ineffective during retesting
- As of January 2026: Vulnerability remains exploitable with no further communication
This delayed response violates GDPR Article 33's requirement to address vulnerabilities without undue delay. The ineffective rate limiting solution demonstrates inadequate implementation of Article 32 safeguards.
Organizations handling similar visitor data must implement these compliance measures:
- Access Control Enhancement: Increase ID complexity exponentially beyond 26 million combinations
- Technical Safeguards: Implement certificate pinning and strict API rate limiting
- Data Minimization: Store media for shorter durations than current 30-day retention
- Vulnerability Response Protocol: Establish 14-day maximum response timelines for security reports
- Third-Party Audits: Conduct quarterly penetration testing of public-facing systems
Under GDPR Article 83, such violations can incur fines up to €20 million or 4% of global annual turnover. Beyond financial penalties, the reputational damage from mishandling researcher disclosures compounds compliance failures. Organizations should review their vulnerability disclosure programs using resources like the GDPR Article 32 guidelines and ENISA's security measures catalogue.
Comments
Please log in or register to join the discussion