AFC Ajax drops ball as hackers transfer tickets, lift bans

Dutch football giant AFC Ajax has admitted to a data breach after an attacker gained access to its internal systems, in an incident that looks less like a stray pass and more like the gates left wide open. The club says a "hacker in the Netherlands" exploited vulnerabilities to access parts of its systems, viewing email addresses of a few hundred people and limited personal data tied to fewer than 20 supporters with stadium bans. Ajax says it patched the holes, notified regulators, and has "no indication" the data has spread further. That's the scoreboard Ajax wants to show. The match report from RTL News looks more like a game where the defense stayed in the locker room. RTL's investigation found that by poking at exposed APIs and reusing shared digital keys, it was possible to act as other users entirely – transferring season tickets, altering account details, and even lifting stadium bans. For example, RTL lifted a VIP ticket from Ajax director Menno Geelen's account in seconds and used it to access an upcoming match before the club clawed it back. The flaws potentially exposed data tied to more than 300,000 registered supporters and put upwards of 42,000 season tickets in play – tickets that could be stolen or simply vanish from an account with little the ticketholder could do about it. Leeds United kick card swipers into Row Z after 5-day cyberattack Manchester United email servers remain offline amid what is being called a 'ransomware' attack RansomHub claims to net data hat-trick against Bologna FC Brit Salesforce exec Gavin Patterson becomes transfer target for controversial European Super League RTL also found details of more than 500 supporters with stadium bans sitting there for the taking, including the reasons behind them – from scuffles with stewards to drug-related incidents. Not exactly the sort of thing you'd want easily searchable. As one affected individual, a local government worker, put it: "This could harm my career." Ajax's own statement concedes that a journalist demonstrated the ability to transfer tickets and modify bans, but offered little detail on how such a wide-open setup made it into production in the first place. RTL's reporting points to a more basic problem: systems that trusted requests they shouldn't have, handing out the same digital keys to everyone, and effectively letting anyone call the shots. Ajax appears keen to keep the scoreline respectable, focusing on the limited number of confirmed data exposures. But when outsiders can not only see the data but also pull the levers behind it, this looks less like a narrow breach and more like an own goal scored with no one in the net. ®