Carlsberg Group, a Danish multinational brewer, is in the news for unexpected reasons after a cybersecurity researcher uncovered a vulnerability in wristbands handed out during a branded exhibition in Copenhagen. The wristbands, designed to let attendees access media from the event, exposed personal data through a simple numeric identifier, with no proper authentication or brute-force protection.
Each wristband included a QR code linking to a personalized “memories” page. But the only thing protecting each visitor’s page was a 7-digit numeric ID. A basic script running on a single laptop was able to find hundreds of valid IDs quickly, revealing photos, videos, and the full names of visitors.
The researcher behind the discovery, Alan Monie of UK-based Pen Test Partners (PTP), submitted the vulnerability through Carlsberg’s official bug reporting channel, a third-party disclosure platform. It was scored as a high-severity issue (CVSS 7.5) and flagged for remediation. But after an initial acknowledgment, communication stalled. Carlsberg failed to follow its own disclosure timelines and provided no confirmation that the issue had been resolved.
Months later, the researcher retested the system and confirmed that brute-force enumeration was still possible. Rate limiting and access controls, if implemented at all, were ineffective. Over 150 days after the initial report, with no progress or meaningful updates, the researcher decided to publish the findings.
GDPR, Disclosure Suppression and Delays
The exposed data, full names linked to photos and videos, qualifies as personally identifiable information (PII) under GDPR. Organizations collecting such data, even during promotional events, are obligated to protect it. Carlsberg’s failure to secure that data or respond adequately to a responsible disclosure may raise regulatory questions.
To make matters worse, Carlsberg’s disclosure platform, Zerocopter, told the researcher that publication of the vulnerability was not allowed. This came after months of silence and no resolution. Pen Test Partners rejected the restriction, stating it contradicted responsible disclosure practices. After more than 150 days without a fix or follow-up, they went public.
Their blog post is available here. Carlsberg has not issued a public statement on the matter. However, this is not the first time Pen Test Partners has faced issues with responsible vulnerability disclosure to vendors. In December 2025, researchers reported that Eurostar, the well-known high-speed rail operator, accused them of blackmail after they responsibly disclosed critical flaws in its AI chatbot.