Dutch football club AFC Ajax suffered a serious data breach where hackers exploited API flaws to access supporter data, transfer season tickets, and lift stadium bans, affecting hundreds of thousands of users.
Dutch football giant AFC Ajax has suffered a serious data breach that exposed not just personal information but also allowed hackers to manipulate ticketing systems and lift stadium bans - a security failure that goes far beyond simple data exposure.
What happened
The club confirmed that an attacker in the Netherlands exploited vulnerabilities in its internal systems to access parts of its infrastructure. According to Ajax's official statement, the breach involved viewing email addresses of a few hundred people and limited personal data tied to fewer than 20 supporters with stadium bans.
However, an investigation by RTL News revealed the true extent of the security failures. By exploiting exposed APIs and reusing shared digital keys, attackers could act as other users entirely - transferring season tickets, altering account details, and even lifting stadium bans.
The scale of the breach
RTL's investigation found that the flaws potentially exposed data tied to more than 300,000 registered supporters. With upwards of 42,000 season tickets potentially in play, tickets could be stolen or simply vanish from accounts with little recourse for the original holders.
The investigation also uncovered details of more than 500 supporters with stadium bans, including the reasons behind them - from scuffles with stewards to drug-related incidents. As one affected individual, a local government worker, noted: "This could harm my career."
How the attack worked
The vulnerabilities were shockingly basic. Systems trusted requests they shouldn't have, handed out the same digital keys to everyone, and effectively let anyone call the shots. For example, RTL was able to lift a VIP ticket from Ajax director Menno Geelen's account in seconds and use it to access an upcoming match before the club intervened.
What Ajax says
The club maintains it has patched the vulnerabilities, notified regulators, and has "no indication" the data has spread further. Ajax's statement concedes that a journalist demonstrated the ability to transfer tickets and modify bans, but offered little detail on how such a wide-open setup made it into production.
Why this matters
This isn't just another data breach - it's a fundamental failure of access controls that allowed attackers to not only view sensitive information but actively manipulate the system. The ability to transfer season tickets and lift stadium bans represents a serious security and operational failure that could have financial and reputational consequences for both the club and affected supporters.
Regulatory implications
With Ajax having notified regulators, this breach will likely face scrutiny under GDPR and Dutch data protection laws. The scale of the exposure - potentially affecting hundreds of thousands of users - and the severity of the vulnerabilities could result in significant fines and mandatory security improvements.
The incident serves as a stark reminder that proper authentication and authorization controls are fundamental to any system handling personal data or valuable assets like tickets. When these basics fail, the consequences can extend far beyond simple data exposure to active system manipulation.
Comments
Please log in or register to join the discussion