Ajax Amsterdam Suffers Data Breach After Hacker Exploits IT Vulnerabilities
Dutch football giant AFC Ajax confirmed a security breach after a hacker exploited vulnerabilities in its IT systems, gaining unauthorized access to sensitive data. The incident, first reported by journalists tipped off by the attacker, exposed email addresses of a few hundred individuals and personal details including names, email addresses, and birthdates of fewer than 20 people with stadium bans.
Investigative journalists from RTL independently verified the flaws, demonstrating how the hacker could reassign season tickets, modify stadium ban records, and access fan data through unsecured APIs and shared keys. In a test, they transferred a VIP season ticket in seconds and confirmed potential access to 42,000 season tickets, 538 supporter bans, and over 300,000 fan accounts.
Ajax stated that the exposed data was viewed but not leaked, and all identified vulnerabilities have since been patched. External cybersecurity experts are assessing the incident’s full scope, while Dutch authorities, including the Data Protection Authority and police, have been notified.
The hacker’s decision to disclose the flaws via media rather than exploit them for profit suggests limited malicious intent. However, it remains unclear whether the vulnerabilities were previously discovered or abused. The club has implemented additional security measures to prevent future breaches.
Ajax Football Club cybersecurity rating report: https://www.rankiteo.com/company/ajax-football-club
"id": "AJA1774563897",
"linkid": "ajax-football-club",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Few hundred (email addresses), '
'<20 (personal details), '
'potential access to 42,000 '
'season tickets and 300,000 fan '
'accounts',
'industry': 'Sports/Entertainment',
'location': 'Netherlands',
'name': 'AFC Ajax',
'type': 'Football Club'}],
'attack_vector': 'Exploited IT vulnerabilities, unsecured APIs, shared keys',
'data_breach': {'data_exfiltration': 'No (data viewed but not leaked)',
'number_of_records_exposed': 'Few hundred (email addresses), '
'<20 (personal details), '
'potential access to 42,000 '
'season tickets and 300,000 fan '
'accounts',
'personally_identifiable_information': 'Yes (names, email '
'addresses, '
'birthdates)',
'sensitivity_of_data': 'High (personal details, stadium bans)',
'type_of_data_compromised': 'Email addresses, personal '
'details (names, birthdates), '
'stadium ban records, season '
'ticket data, fan accounts'},
'description': 'Dutch football giant AFC Ajax confirmed a security breach '
'after a hacker exploited vulnerabilities in its IT systems, '
'gaining unauthorized access to sensitive data. The incident '
'exposed email addresses of a few hundred individuals and '
'personal details including names, email addresses, and '
'birthdates of fewer than 20 people with stadium bans. The '
'hacker could reassign season tickets, modify stadium ban '
'records, and access fan data through unsecured APIs and '
'shared keys.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Email addresses (few hundred), personal '
'details (names, email addresses, birthdates '
'of <20 individuals with stadium bans)',
'identity_theft_risk': 'Yes',
'operational_impact': 'Potential unauthorized modification of '
'season tickets and stadium ban records',
'systems_affected': 'IT systems, season ticket management, stadium '
'ban records, fan accounts'},
'investigation_status': 'Ongoing (external cybersecurity experts assessing '
'full scope)',
'motivation': 'Limited malicious intent (disclosure via media)',
'post_incident_analysis': {'corrective_actions': 'Vulnerabilities patched, '
'additional security '
'measures implemented',
'root_causes': 'Unsecured APIs, shared keys'},
'references': [{'source': 'RTL'}],
'regulatory_compliance': {'regulatory_notifications': 'Dutch Data Protection '
'Authority'},
'response': {'containment_measures': 'Vulnerabilities patched',
'law_enforcement_notified': 'Yes (Dutch Data Protection '
'Authority and police)',
'remediation_measures': 'Additional security measures '
'implemented',
'third_party_assistance': 'External cybersecurity experts'},
'threat_actor': 'Hacker',
'title': 'Ajax Amsterdam Suffers Data Breach After Hacker Exploits IT '
'Vulnerabilities',
'type': 'Data Breach',
'vulnerability_exploited': 'Unsecured APIs, shared keys'}