Ajax hit by data leak as hacker could change stadium bans and assign tickets to other names

Ajax were alerted to a massive vulnerability by a journalist. In their official statement, the club admitted that a "hacker in the Netherlands unlawfully" gained access to parts of their systems. This catastrophic error allowed potential access to the private data of over 300,000 registered fans. Furthermore, the intruder could view the email addresses of a few hundred supporters, sparking major privacy concerns for the Eredivisie club who have since tightened their digital security and refused further comment.

The severity of the leak extended far beyond standard data privacy issues. RTL Nieuwsreported that the hacker could see which of the more than 500 supporters currently have a stadium ban, and possessed the power to lift these restrictions entirely. This is highly precarious, as the exposed individuals include a civil servant and a police employee; public knowledge of such disciplinary records could severely damage their professional careers. However, Ajax stated that the names, email addresses and dates of birth of fewer than 20 banned individuals were actually viewed during the breach.

Furthermore, the breach compromised the digital ticketing infrastructure, leaving more than 42,000 season tickets vulnerable. The hacker could have easily stolen these passes to attend matches, rendered them completely unusable, or assigned tickets for upcoming fixtures to different names. This terrifying prospect posed a significant threat to public safety and matchday operations. This has prompted a rigorous review of how supporter data is protected during high-profile matchdays in the capital.

Following the alarming discovery, the Dutch giants say they have acted swiftly to patch the leaks and secure their digital perimeter. The administration reported the incident to the privacy watchdog, the Dutch Data Protection Authority, which has confirmed receiving the notification. Additionally, Ajax have filed a formal police report to pursue criminal charges against the perpetrator. An external party has been brought in to help conduct a comprehensive investigation into the incident. Meanwhile, transparency remains a priority, as all individuals who became part of the data leak in any way have now been directly informed by the club.