Data Breach Uncovered at Ajax Football Club: Ticket Hijacking Scandal Revealed

Ajax Football Club Data Breach Exposes Fan Information and Ticket Vulnerabilities

A prominent Dutch football institution, Ajax Amsterdam (AFC Ajax), recently made public the discovery of a breach in its IT infrastructure, resulting in unauthorized access to sensitive data belonging to a limited number of individuals.

The breach, facilitated by exploited vulnerabilities, allowed for the unauthorized transfer of purchased tickets and modifications to existing stadium bans.

Notably, the club was alerted to the security concerns by journalists who were informed by the perpetrator behind the breach.

AFC Ajax boasts an illustrious history in the football world, having clinched the prestigious UEFA Champions League title on four occasions and securing 36 Eredivisie championships, the premier football league in the Netherlands.

According to the official statement released by AFC Ajax, the unauthorized access primarily compromised email addresses of a few hundred individuals, with additional exposure of names, email addresses, and dates of birth of fewer than 20 individuals subject to stadium bans.

Independent investigations by RTL journalists, following a tip-off from the hacker, corroborated the security vulnerabilities, demonstrating the ability to transfer season tickets, alter stadium ban records, and access comprehensive fan data through APIs and shared keys.

During a demonstration, RTL successfully reassigned a VIP season ticket within seconds, highlighting the severity of the breach. The potential impact extended to the manipulation of 42,000 season tickets, 538 supporter stadium bans, and access to details of over 300,000 accounts.

Subsequently, AFC Ajax has enlisted the expertise of external professionals to assess the extent of the breach and ascertain its origins. The club reassured that the compromised data has not been disseminated.

Immediate actions were taken to address the vulnerabilities, with additional security protocols implemented to safeguard against future breaches. Authorities, including the Dutch Data Protection agency and law enforcement, have been notified of the incident.

While the motives behind the breach appear non-malicious, with the hacker opting to disclose the vulnerabilities rather than exploit them for personal gain, questions linger regarding the extent of prior exploitation of Ajax’s security loopholes.

As a precautionary measure, Ajax fans who have interacted with the club’s systems or purchased season tickets are advised to remain vigilant for any suspicious communications, particularly those purporting to represent AFC Ajax.

Enhance your cybersecurity awareness with the Red Report 2026, uncovering the latest malware tactics that evade detection and exploit vulnerabilities. Download our comprehensive analysis of 1.1 million malicious samples to fortify your defense mechanisms.

Access The Red Report