Police arrest suspect in Ajax football club hack that exposed 300,000 fan records

The Dutch National Police arrested a man suspected of hacking into the computer systems of AFC Ajax, a football club from Amsterdam.

“On the morning of Tuesday, May 26, detectives arrested a 35-year-old man from the municipality of Buren for computer intrusion at the Amsterdam football club Ajax. The man is suspected of intentionally and unlawfully entering Ajax’s computer systems multiple times ,” the police said.

The investigation began after AFC Ajax discovered unauthorized access to its computer systems earlier this year. Dutch police traced the intrusion to a suspect from the municipality of Buren and arrested him following the investigation.

During the search, police seized various data carriers for further investigation.

Ajax disclosed the intrusion on March 25, 2026, saying the attack exploited vulnerabilities in the club’s app and website, including exposed APIs and shared access keys.

The suspected hacker first approached an RTL journalist and shared details about the vulnerabilities. The journalist later demonstrated that tickets could be transferred to other users and that stadium bans could be modified.

According to RTL, the vulnerabilities exposed private data belonging to more than 300,000 registered Ajax fans and could have allowed attackers to steal or disable more than 42,000 season tickets. RTL also reported that the flaws exposed information on 538 supporters with active stadium bans.

AFC Ajax has since patched the vulnerabilities exploited in the attack and reported the incident to Dutch police and the country’s data protection authority.