Ajax data breach risks season tickets and fan bans
▼ Summary
– An unknown hacker accessed parts of AFC Ajax’s IT systems, obtaining email addresses for a few hundred people.
– The breach exploited vulnerabilities in the club’s app and website, including exposed APIs and shared access keys.
– For under 20 individuals with stadium bans, accessed data included names, email addresses, and dates of birth.
– The hack potentially exposed data for over 300,000 registered fans and allowed manipulation of season tickets and stadium bans.
– Ajax has patched the vulnerabilities, launched an investigation with experts, and notified police and data authorities.
A major cybersecurity incident at AFC Ajax has exposed sensitive fan data and created significant risks for season ticket holders and banned supporters. The Amsterdam-based football club confirmed that an unauthorized individual breached its digital infrastructure, exploiting weaknesses in its official app and website. This included vulnerabilities like exposed APIs and shared access keys, which allowed the hacker to obtain the email addresses of several hundred individuals.
While the club stated that comprehensive personal details, including names and dates of birth, were accessed for fewer than twenty people currently under a stadium ban, the potential scope is far wider. An investigation by RTL Nieuws, alerted by the hacker who contacted one of its journalists, revealed the breach could affect over 300,000 registered fans. The compromised systems reportedly allow for the theft or disabling of more than 42,000 season tickets, with holders powerless to stop a ticket from vanishing from their account. The hack also provides access to a list identifying which 538 supporters have active bans.
Ajax has launched a full investigation with external cybersecurity experts, patched the identified vulnerabilities, and notified both law enforcement and the Dutch Data Protection Authority. In a public statement, the club urged vigilance, advising fans to be extra alert for phishing messages and suspicious emails, and to avoid clicking links or opening attachments from unknown senders. The club noted there is currently no indication the accessed data has been disseminated further.
The hacker’s decision to contact a journalist rather than sell the data on the dark web suggests the intrusion may not have been driven by overtly malicious intent. However, the demonstration provided to RTL showed the alarming capability to transfer tickets and modify stadium bans, highlighting serious flaws in the club’s digital security framework. This incident underscores the critical need for robust data protection measures in sports organizations that manage vast amounts of sensitive fan information.
(Source: Help Net Security)
