Dutch professional football club Ajax Amsterdam (AFC Ajax) said a hacker exploited vulnerabilities in its IT systems and accessed data belonging to a few hundred people. The club said it learned of the security issues after journalists were tipped off by the hacker and has opened an investigation.
AFC Ajax said the data viewed included the email addresses of a few hundred people and, for fewer than 20 people with stadium bans, names, email addresses and dates of birth. The club said the exposed data has not been leaked and that it has engaged external experts to determine the scope and root cause of the incident.
RTL journalists who received a tip from the hacker independently verified the reported vulnerabilities. RTL said they were able to transfer season tickets from holders to arbitrary people, access and modify stadium ban records, and gain broad access to fan data via APIs and shared keys.
In a demonstration, RTL said it reassigned a VIP season ticket in seconds and reported it could manipulate 42,000 season tickets, 538 supporter stadium bans and view details on more than 300,000 accounts. The journalists described their investigation as non-malicious.
Ajax said all identified vulnerabilities have been patched and that it has introduced additional security measures. The club also said the Dutch Data Protection authority and the police have been notified. It is not clear whether the weaknesses had been discovered or exploited before this incident.
Security observers and affected fans were advised to be vigilant for suspicious communications, especially messages impersonating AFC Ajax.