Ajax suffers major own goal as data breach hits personal info of 300,000 fans

News
By published

A bug in an app allowed a hacker to view and tamper with the data

Khvicha Kvaratskhelia of SSC Napoli and Jurrien Timber of AFC Ajax Battles for the ball
(Image credit: Getty Images / DeFodi Images)
  • Ajax football club suffers breach exposing sensitive fan data
  • Ethical hacker showed vulnerability in app affecting 300,000 accounts
  • Flaw allowed ticket transfers, stadium ban removals, and access to personal details

Ajax Amsterdam, one of the biggest football clubs in the Netherlands and across Europe, has confirmed it suffered a data breach in which it allegedly lost sensitive data on 300,000 people.

The club published a press release saying it had recently discovered a hacker “unlawfully gaining access to parts” of its systems.

“Data was viewed”, the club said, adding that the hacker accessed emails of “a few hundred people”. Ajax also said that for fewer than 20 people who are banned from the stadium, their names, email addresses, and birth dates were accessed.

Article continues below

Hundreds of thousands of exposed fans

All of the affected individuals were notified and warned about potential incoming phishing emails.

Ajax said the breach was possible because of “vulnerabilities” which have, since then, been patched. The club also notified the Dutch Data Protection Authority, as well as law enforcement.

From the press release, one might conclude that only a handful of people lost data that, in many instances, is publicly available.

However, Cybernews reports that 300,000 fans actually had their personally identifiable information (PII) exposed. Citing RTL Nieuws, a local news outlet that was first to report on the incident, the publication said an ethical hacker demonstrated the vulnerability.

He showed that he could see personal details of 300,000 fans and even tamper with their accounts, transferring season passes and match tickets to other people. He was even able to modify and remove stadium bans, potentially creating a security risk by allowing aggressive fans and hooligans back into the stands.

He said the problem was in the Ajax app, in which every user has the same digital key: “By manipulating a sent data packet, you can perform actions on someone else’s behalf, such as transferring a ticket,” he explained.

“This way, an unauthorized person could gain access to all kinds of sensitive data belonging to Ajax fans and perform actions,” the hacker added.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.