Ajax Confirms Data Breach Exposing Fan Data and Season Tickets
Dutch football club Ajax has acknowledged a data breach affecting its website, following reports by RTL Nieuws. The incident exposed email addresses of several hundred individuals, while a smaller group fewer than 20 supporters with stadium bans had their names, email addresses, and birth dates accessed.
According to Ajax, the breach may have allowed attackers to reassign season tickets and modify stadium bans. The club has notified affected individuals and reported the incident to the Dutch Data Protection Authority, as well as filing a police report. Authorities have not yet disclosed details, but an investigative team is actively examining the case.
RTL Nieuws’s findings suggest the breach could have impacted over 300,000 registered Ajax fans, with potential exposure of personal data. Additionally, more than 42,000 season tickets may have been stolen or disabled, while the records of 538 banned supporters could have been altered or lifted.
The vulnerability stemmed from an insecure API on Ajax’s website, allowing attackers to extract data without authentication. Amsterdam’s Police Cybercrime Team is investigating possible links to the recent takedown of the criminal forum LeakBase, where Dutch company databases were previously sold.
Ajax has since patched the flaw and strengthened security measures. The club previously faced a 2021 data breach on a fan platform, prompting earlier cybersecurity improvements.
Source: https://nltimes.nl/2026/03/25/ajax-confirms-major-data-breach-affecting-fans-season-tickets
AFC Ajax cybersecurity rating report: https://www.rankiteo.com/company/afc-ajax
"id": "AFC1774456765",
"linkid": "afc-ajax",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 300,000 registered fans, '
'42,000 season ticket holders, '
'538 banned supporters',
'industry': 'Sports/Entertainment',
'location': 'Amsterdam, Netherlands',
'name': 'Ajax (Amsterdamsche Football Club Ajax N.V.)',
'type': 'Football Club'}],
'attack_vector': 'Insecure API',
'customer_advisories': 'Affected individuals notified',
'data_breach': {'number_of_records_exposed': 'Over 300,000 (potential), '
'42,000 season tickets, 538 '
'banned supporters',
'personally_identifiable_information': 'Yes (names, email '
'addresses, birth '
'dates)',
'sensitivity_of_data': 'High (PII, ticketing data)',
'type_of_data_compromised': ['Email addresses',
'Names',
'Birth dates',
'Season ticket details',
'Stadium ban records']},
'description': 'Dutch football club Ajax has acknowledged a data breach '
'affecting its website, following reports by RTL Nieuws. The '
'incident exposed email addresses of several hundred '
'individuals, while a smaller group of fewer than 20 '
'supporters with stadium bans had their names, email '
'addresses, and birth dates accessed. The breach may have '
'allowed attackers to reassign season tickets and modify '
'stadium bans.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Email addresses, names, birth dates, season '
'ticket details, stadium ban records',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Reported to Dutch Data Protection Authority',
'operational_impact': 'Unauthorized modification of season tickets '
'and stadium bans',
'systems_affected': 'Ajax website, fan data systems'},
'initial_access_broker': {'data_sold_on_dark_web': 'Possible link to LeakBase '
'forum',
'entry_point': 'Insecure API'},
'investigation_status': 'Ongoing (Amsterdam Police Cybercrime Team)',
'post_incident_analysis': {'corrective_actions': 'API vulnerability patched, '
'security measures '
'strengthened',
'root_causes': 'Insecure API allowing '
'unauthenticated data extraction'},
'references': [{'source': 'RTL Nieuws'}],
'regulatory_compliance': {'regulations_violated': ['GDPR'],
'regulatory_notifications': 'Reported to Dutch Data '
'Protection Authority'},
'response': {'communication_strategy': 'Notified affected individuals',
'containment_measures': 'API vulnerability patched',
'law_enforcement_notified': 'Yes (Amsterdam Police Cybercrime '
'Team, Dutch Data Protection '
'Authority)',
'remediation_measures': 'Security measures strengthened'},
'title': 'Ajax Confirms Data Breach Exposing Fan Data and Season Tickets',
'type': 'Data Breach',
'vulnerability_exploited': 'Authentication bypass via insecure API'}