The Copenhagen-based Tivoli, one of the oldest and most popular amusement parks in Europe, has now joined the unfortunate online "rogues gallery" of major Danish companies whose customer data has been hacked from their websites.
Details about the extent of the early August hack into the website of Denmark's premier tourist destination are only made public on Saturday.
Hackers targeted My Tivoli, a site where guests can login and access Tivoli products and annual cards. They can use My Tivoli to access the theme park and get an overview of past purchases.
A Chinese-themed theatre in Tivoli Gardens, Copenhagen, Denmark. /VCG Photo
Tivoli, the spiritual home of over 4 million thrill-seeking visitors, admitted that this popular website had been compromised when up to a thousand guests had their personal information stolen: names, addresses, phone numbers, e-mail addresses, date of birth and information about guests' previous purchases at Tivoli, even credit card information.
Jonas Buhl Gregersen, Tivoli's director of IT and business development, deemed the hack "intelligent" rather than a classic "brute force attack."
During this "intelligent" attack on My Tivoli, Gregersen explained, there were a maximum of three logins with the same email address and a maximum of two with the wrong password. In contrast, a brute force hack would have tried to log in with the same email address continuously for a prolonged period.
The night view of Tivoli Gardens, Copenhagen, Denmark. /VCG Photo
Gregersen said the hack was discovered quickly by vigilant website administrators who noticed an unusual spike in customer logins.
The spike occurred due to innocent guests logging in to their account, along with hackers, after they received an automatic email from Tivoli informing them that their My Tivoli profile had been logged onto from a different device.
Despite the breach, Gregersen could provide no good explanation as to the motives of the attackers, only suggesting that hackers may have have been testing the systems security, "curious" about what could be done.
Christmas market in Tivoli Gardens, Copenhagen, Denmark. /VCG Photo
No similar incidents have ever happened on the My Tivoli website before this.
Immediately following the discovery of the hack, all affected customers were both informed and assured that no credit cards were used to make purchases. The site is now secure.
The incident was reported to both the police and the Danish Data Inspectorate.
(Cover: Illuminated restaurant at night in Tivoli Gardens, Copenhagen, Denmark. /VCG Photo )