Industry - Data Breach
Executive Summary
Dutch police arrested a 35-year-old man suspected of repeatedly accessing Ajax football club's computer systems through an unpatched vulnerability disclosed in March. The breach exposed email addresses of several hundred people and limited personal information of individuals with stadium bans, though some reports suggest it may have affected over 300,000 registered supporters and 42,000 season tickets. The incident highlights the growing trend of cyberattacks targeting sports organizations, w...
What Happened
Dutch police arrested a 35-year-old man in Buren suspected of repeatedly accessing Ajax football club's computer systems through an unpatched vulnerability. The breach, disclosed by Ajax in March 2026, exposed email addresses of several hundred people and limited personal information of individuals with stadium bans. The vulnerability also allowed the attacker to potentially transfer tickets and alter stadium-ban records, prompting Ajax to patch the flaw and launch an investigation.
Who Is Affected
At minimum, several hundred Ajax supporters had their email addresses exposed, along with personal information of individuals subject to stadium bans. Dutch broadcaster RTL reported the breach may have potentially affected over 300,000 registered Ajax supporters and more than 42,000 season ticket holders, though the full scope remains unclear. The breach primarily impacts individuals who have registered accounts or hold tickets with the Amsterdam-based football club.
Why It Matters
This incident illustrates the vulnerability of sports organizations to cyberattacks, as criminals increasingly target clubs holding extensive fan databases and ticketing systems. The exploitation of a known but unpatched vulnerability demonstrates how delayed security updates can leave hundreds of thousands of supporters' personal information exposed. Ajax joins a growing list of major football clubs and associations experiencing breaches, including Bologna FC, Paris Saint-Germain, Manchester United, and national football federations in the Netherlands and France.
What You Should Do
If you are an Ajax supporter or ticket holder, monitor your email account for phishing attempts that may reference your association with the club. Change your Ajax account password immediately and enable two-factor authentication if available. Review your season ticket account for any unauthorized transfers or changes to your records, and report suspicious activity to Ajax's customer service.
Summary generated from verified sources and reviewed before publication. How we summarize.