The full Danish railway ticket database — exposed at age 16.

§ Abstract

In 2020, while still in school, I found a vulnerability in DSB’s ticketing infrastructure that exposed the entire ticket database — including records from internal terminals used by station staff — containing personally identifiable information at the ticket-level granularity.

Reported through responsible disclosure. DSB remediated. No data was misused.

§ What I won’t say

The specific vector — and the parameter that made it work — stays out of public writing forever. Disclosure was responsible because the vendor needed time to remediate without an arms race against opportunists. It’s been remediated for years now; the path stays buried because a redesigned internal system might still echo the old assumption.

§ Why this matters

The disclosure is on this site for one reason: I was sixteen when I found it, and it’s the moment I learned that “national infrastructure” doesn’t mean “actually secure.” The systems that power day-to-day life — railway ticketing, in this case — are often held together by the same kind of assumptions you’d see in any small startup, just at a much larger blast radius.

Every project on this site since then has been informed by that observation.

§ Outcomes

• DSB remediated the underlying flaw
• No data was misused, exfiltrated, or shared beyond the disclosure channel
• No public bug bounty existed at the time — the disclosure was direct
• Policy lesson taken forward: responsible disclosure is the right default when the affected party has no formal program; aggressive disclosure is for parties that refuse to engage

The DSB report is also why I take security seriously in everything I ship now. When you’ve held that much PII in your hands by accident at 16, you don’t forget what it feels like.