Cyber Incident Victim: Tivoli

In early August 2019, unauthorized actors breached the website of Tivoli Park, a historic amusement park in Copenhagen and one of Europe’s oldest and most frequented tourist attractions. The cyberattack resulted in the theft of personal information belonging to as many as 1,000 guests. Details about the incident’s scope were not publicly disclosed until August 17, 2019, when media outlets reported the breach. The attack targeted customer data stored on Tivoli’s web systems, though the specific vulnerabilities exploited or methods used by the attackers were not described in available sources. No information was provided regarding how the intrusion was detected, whether systems were taken offline during the investigation, or what immediate containment measures were implemented by the organization.

The compromised data’s exact nature—such as names, payment details, or contact information—remained unspecified in public reporting. The breach positioned Tivoli among a growing list of major Danish companies that experienced customer data theft through website compromises, though the other affected entities were not named. Tivoli’s status as Denmark’s premier tourist destination amplified concerns about reputational harm following the incident. No customer-facing mitigation steps, such as credit monitoring offers or forced password resets, were detailed in the available information. The park did not disclose whether regulatory authorities or law enforcement were notified, nor were any operational disruptions or financial impacts quantified. Consequences centered on the unauthorized data access itself and the park’s inclusion in a broader pattern of Danish corporate cyber incidents.