Ajax Hit by Major Data Breach: Season Tickets Stolen, Stadium Bans Lifted
Amsterdam – A significant cyberattack has compromised the security of Dutch football club Ajax, potentially allowing the theft of season tickets and the lifting of existing stadium bans. The breach, which impacted over 300,000 registered Ajax fans, was revealed following an investigation by RTL Nieuws after being tipped off by a hacker.
According to reports, the hack enabled access to the private data of fans within the club’s app, and approximately 42,000 season tickets were either stolen or rendered unusable. Season ticket holders have no recourse to prevent this misuse.
The data breach also exposed information regarding 538 individuals currently under stadium bans, including their private details. Crucially, the hacker was able to remove those bans from the system. A substantial portion of these bans were linked to the F-Side, Ajax’s hardcore supporter group.
One supporter, a municipal employee, expressed concern about the potential repercussions of their information being exposed, stating, “This could damage my career.” Bart Schermer, a professor of Privacy and Cybercrime at Leiden University, echoed this sentiment, noting that potential employers may view a stadium ban negatively, particularly for certain positions.
The severity of the breach was demonstrated when RTL Nieuws was able to steal the season ticket of Ajax director Menno Geelen and gain access to premium seating. Ajax has since recovered the ticket and restored it to Geelen’s account.
Ajax acknowledged the incident on its club website, stating that a hacker gained access to the email addresses of several hundred individuals. The club also confirmed that the names, email addresses, and dates of birth of fewer than 20 individuals with stadium bans were compromised.
The Amsterdam club asserts that all vulnerabilities have been addressed and has filed a report with the Dutch Data Protection Authority, as well as initiating a formal complaint with law enforcement. This incident raises serious questions about data security within professional sports organizations and the potential consequences for individuals affected by such breaches.
