Ajax suffers major own goal as data breach hits personal info of 300,000 fans

Ajax Amsterdam, one of the biggest football clubs in the Netherlands and across Europe, has confirmed it suffered a data breach in which it allegedly lost sensitive data on 300,000 people.

The club published a press release saying it had recently discovered a hacker “unlawfully gaining access to parts” of its systems.

“Data was viewed”, the club said, adding that the hacker accessed emails of “a few hundred people”. Ajax also said that for fewer than 20 people who are banned from the stadium, their names, email addresses, and birth dates were accessed.

Hundreds of thousands of exposed fans

All of the affected individuals were notified and warned about potential incoming phishing emails.

Ajax said the breach was possible because of “vulnerabilities” which have, since then, been patched. The club also notified the Dutch Data Protection Authority, as well as law enforcement.

From the press release, one might conclude that only a handful of people lost data that, in many instances, is publicly available.

However, Cybernews reports that 300,000 fans actually had their personally identifiable information (PII) exposed. Citing RTL Nieuws, a local news outlet that was first to report on the incident, the publication said an ethical hacker demonstrated the vulnerability.

He showed that he could see personal details of 300,000 fans and even tamper with their accounts, transferring season passes and match tickets to other people. He was even able to modify and remove stadium bans, potentially creating a security risk by allowing aggressive fans and hooligans back into the stands.

He said the problem was in the Ajax app, in which every user has the same digital key: “By manipulating a sent data packet, you can perform actions on someone else’s behalf, such as transferring a ticket,” he explained.

“This way, an unauthorized person could gain access to all kinds of sensitive data belonging to Ajax fans and perform actions,” the hacker added.