Ajax data breach exposed season tickets, supporter bans open to tampering

AFC Ajax, the Dutch football club from Amsterdam, disclosed that an unknown hacker gained access to parts of its IT systems and obtained the email addresses of a few hundred people.

The hack exploited vulnerabilities in Ajax’s app and website, including exposed APIs and shared access keys.

The club stated that names, email addresses, and dates of birth were accessed for fewer than 20 individuals subject to a stadium ban. An RTL journalist, who was approached by the hacker, alerted the club to the incident.

“For now, we know that access was gained to part of our systems and data, but at this moment we have no indication that the data has been further spread. Nevertheless, we remind everyone that it is always wise to stay alert for unwanted emails (spam) or phishing messages,” AFC Ajax said in a statement.

The journalist also demonstrated that tickets could be transferred to others and that stadium bans could be modified.

According to RTL, the hack makes it possible to access private data from more than 300,000 registered Ajax fans and to steal or disable more than 42,000 season tickets. Season ticket holders cannot prevent this, as the ticket can disappear from their account and can no longer be used. It further allows access to information showing which 538 Ajax supporters have an active stadium ban.

The club said it had launched an investigation with external experts into the cause and scope of the incident, patched the vulnerabilities, and strengthened its security. A police report was filed, and the Dutch Data Protection Authority notified.

“We advise everyone once again to be extra alert to suspicious emails and never to click on links or open attachments from unknown senders,” Ajax warned.

The fact that the vulnerability was disclosed to a journalist and did not end up on the dark web may indicate that the hacker did not have malicious intentions.