Ajax confirms major data breach affecting fans and season tickets

Ajax has confirmed a data breach on its website, following coverage by RTL Nieuws. According to the club, only the email addresses of a few hundred people were accessed, and for fewer than 20 individuals with stadium bans, their names, email addresses, and birth dates were also viewed.

As RTL Nieuws revealed, Ajax confirmed that the hack potentially allowed season tickets to be reassigned and stadium bans to be modified. “We have notified all affected parties personally,” the club said. The incident has been reported to the Dutch Data Protection Authority, and a police report has been filed.

RTL Nieuws reported that the hack potentially exposed the personal data of all 300,000-plus registered Ajax fans. It may also have allowed more than 42,000 season tickets to be stolen or rendered unusable. Additionally, the private data of the 538 supporters with stadium bans could have been altered, and their bans potentially removed.

Ajax confirmed that a report has been made to the police. A police spokesperson said it is too soon to provide details about the breach, but an investigative team is actively looking into it. The club said it is investigating the “cause and extent” of the breach. “We have patched the vulnerabilities in question and enhanced our security measures,” Ajax stated.

RTL Nieuws’s technical investigation found that the weakness was in a website API (Application Programming Interface), which enabled attackers to access data with a simple script, without needing to log in. Amsterdam’s Police Cybercrime Team is looking into whether the incident is linked to the recent takedown of the criminal forum LeakBase, where databases from Dutch companies were previously sold.

As a precaution, Ajax recommends that all registered fans update their passwords, particularly if they use the same password for other accounts or services.

Ajax has faced digital security issues before. In 2021, a potential data breach occurred on a fan platform, prompting the club to pledge improvements to its cybersecurity measures.