Dutch football club AFC Ajax Amsterdam has disclosed a data breach after a hacker gained unauthorized access to internal systems, while an independent investigation revealed flaws that could also enable ticket theft and manipulation of stadium bans.
The breach was publicly acknowledged by Ajax on March 25, 2026, shortly after Dutch journalist Daniël Verlaan of RTL Nieuws exposed multiple security flaws in the club’s platforms. According to Ajax, the intrusion involved a Netherlands-based hacker who accessed limited datasets, including names, email addresses, and dates of birth belonging to fewer than 20 individuals with stadium bans.
However, RTL Nieuws, which was tipped off by a hacker, demonstrated that vulnerabilities in Ajax’s mobile app and backend APIs allowed unauthorized users to manipulate accounts. By intercepting and modifying data packets, an attacker could transfer season tickets between accounts without consent. In a proof-of-concept test, Verlaan successfully reassigned a season ticket belonging to Ajax director Menno Geelen, granting access to a VIP area for an upcoming high-profile match, within seconds.
RTL
Ajax is one of Europe’s most prominent football clubs, with over 300,000 registered fans and more than 42,000 season ticket holders. Its digital ecosystem includes mobile applications, ticketing systems, and integrated identity-linked services, making it a high-value target for attackers seeking both financial gain and personal data.
The investigation also uncovered a separate vulnerability exposing a list of 538 supporters with active stadium bans. This data, accessible through poorly secured API endpoints, included sensitive personal information and could be altered by attackers. Researchers found it was even possible to revoke stadium bans entirely.
RTL
Ajax stated that there is currently no evidence that the accessed data has been further distributed or abused. Still, the club acknowledged the vulnerabilities and confirmed that external cybersecurity experts were engaged to investigate the incident. The affected systems have since been patched, and the club has reported the breach to the Dutch Data Protection Authority and filed a police complaint.
Despite Ajax’s assertion that only a limited number of individuals were directly impacted, the broader implications of the vulnerabilities, particularly the ability to steal or disable tickets and alter account data, raise concerns about potential abuse, including resale on black markets. Representatives from supporter organizations have criticized the extensive linking of personal data to ticketing systems, calling it unnecessarily risky.
Ajax has notified affected individuals and emailed all ticket holders as a precaution, urging vigilance against phishing attempts.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
