AFC Ajax drops ball as flaws let hackers play admin with tickets and bans

Summary

Dutch football giant AFC Ajax has admitted to a data breach after an attacker gained access to its internal systems, in an incident that looks less like a stray pass and more like the gates left wide open. The club says a "hacker in the Netherlands" exploited vulnerabilities to access parts of its systems, viewing email addresses of a few hundred people and limited personal data tied to fewer than 20 supporters with stadium bans. Ajax says it patched the holes, notified regulators, and has "no indication" the data has spread further. That's the scoreboard Ajax wants to show. The match report from RTL News looks more like a game where the defense stayed in the locker room. RTL's investigation found that by poking at exposed APIs and reusing shared digital keys, it was possible to act as other users entirely – transferring season tickets, altering account details, and even lifting stadium bans. For example, RTL lifted a VIP ticket from Ajax director Menno Geelen's account in seconds and used it to access an upcoming match before the club clawed it back. The flaws potentially exposed data tied to more than 300,000 registered supporters and put upwards of 42,000 season tickets in play – tickets that could be stolen or simply vanish from an account with little the ticketholder could do about it. RTL also found details of more than 500 supporters with stadium bans sitting there for the taking, including the reasons behind them – from scuffles with stewards to drug-related incidents. Not exactly the sort of thing you'd want easily searchable. As one affected individual, a local government worker, put it: "This could harm my career." Ajax's own statement concedes that a journalist demonstrated the ability to transfer tickets and modify bans, but offered little detail on how such a wide-open setup made it into production in the first place. RTL's reporting points to a more basic problem: systems that trusted requests they shouldn't have, handing out the same digital keys to ...