Dutch Police Arrest Suspect in AFC Ajax Football Club Data Breach
Published
Key Takeaways
- Suspect Apprehended: The Dutch National Police arrested a 35-year-old man for multiple AFC Ajax IT intrusions.
- Vulnerability Exploited: An attacker exploited vulnerabilities to access APIs and shared keys.
- Security Restored: The organization said it patched the exploited flaws and notified regulatory authorities.
The Dutch National Police arrested a 35-year-old man from the municipality of Buren on the morning of May 26, 2026. Authorities suspect him of multiple unauthorized intrusions into the IT infrastructure of the professional football club Ajax Amsterdam, also known as AFC Ajax.
Following the arrest, the police searched the suspect's home, seizing various devices for further investigation.
System Vulnerabilities
AFC Ajax initially disclosed the cybersecurity incident in late March. Then, the club said a threat actor exploited specific vulnerabilities in its IT systems to gain unauthorized access to personal data belonging to a few hundred individuals, stating that the attacker modified stadium bans imposed on fewer than 20 individuals and illicitly transferred purchased tickets to other users.
A detailed RTL report cited by BleepingComputer highlighted the threat's extensive nature. The exact same vulnerability enabled broad, unauthorized access to fan data via APIs and shared keys, allowing the hacker to reassign a VIP season ticket in seconds.
The RTL investigation revealed that the system compromise enabled:
- manipulation of 538 supporter stadium bans,
- alteration of 42,000 season tickets,
- viewing of detailed records for more than 300,000 user accounts.
The BNR publication reported that the hacker had discovered a previous data leak at Ajax in 2017, following which he was required to sign a confidentiality agreement and was to stay away from the football club’s systems. The hacker stated that he had reported the 2026 hack to Ajax himself, but was asked to abide by the 2017 agreement, and the club filed a police report.
Compromise and Data Exposure
To mitigate the threat, Ajax Amsterdam has since patched the exploited vulnerabilities, securing their infrastructure against further intrusion.
Following standard incident response protocols, the organization promptly notified the Dutch Data Protection Authority and the police to facilitate a thorough investigation into the breach.
In other recent news, Dutch authorities seized 800 servers linked to Russian cyberattacks and arrested two individuals. In February, a data breach at Dutch telecom giant Odido exposed 6.2 million customers’ sensitive information.
In January, FC Barcelona reported a cyberattack on its access management systems.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular