Ajax, one of the most popular soccer clubs in the Netherlands, recently experienced a data breach that exposed the personally identifiable information (PII) of more than 300,000 fans.
-
A hacker gained unauthorized access to Ajax's IT systems, exposing personal data of over 300,000 fans.
-
The vulnerability allowed attackers to view email addresses, transfer season passes and match tickets, and modify stadium bans.
-
An ethical hacker revealed that every Ajax app user had the same digital key, enabling manipulation of accounts.
In a press release, the Dutch soccer club stated that a hacker unlawfully gained access to parts of its IT systems. With the help of external cybersecurity experts, an internal investigation was launched into the matter.
Details about the scope and impact of the breach are limited, but according to the club, only the email addresses of a few hundred people were viewed. Furthermore, personal and sensitive information belonging to fewer than 20 people with stadium bans was accessed.
The vulnerabilities that were directly responsible for the data breach have been identified and patched. On top of that, additional security measures have been implemented to prevent a recurrence.
Affected supporters have been informed by Ajax. The soccer club recommends being extra careful and vigilant when they receive suspicious-looking emails and messages, and never clicking on URLs or open attachments from unknown senders.
“For now, we know that access was gained to part of our systems and data, but at this moment, we have no indication that the data has been spread. Nevertheless, we remind everyone that it is always wise to stay alert for unwanted emails (spam) or phishing messages,” the club says.
The Dutch data protection authority (DPA) has been notified of the incident. Ajax has also filed a police report.
RTL Nieuws, the news outlet that first reported on the incident, was contacted by an ethical hacker about the breach. He demonstrated that an attacker not only could see personal details of over 300,000 fans, but also could transfer season passes and match tickets to other individuals, as well as modify or remove stadium bans.
According to the ethical hacker, every Ajax app user has the same digital key to make adjustments to their account.
“By manipulating a sent data packet, you can perform actions on someone else’s behalf, such as transferring a ticket,” he explained.
In addition, the website of the soccer club contained a vulnerability, making the list of stadium bans accessible. Ajax uses multiple software interfaces or APIs where the administrator’s digital key could be found.
“This way, an unauthorized person could gain access to all kinds of sensitive data belonging to Ajax fans and perform actions,” the hacker says.
“We can imagine that our supporters are now wondering whether their data is secure. We understand this concern. The answer is that, unfortunately, 100% data security does not exist. However, it is our responsibility to minimize the risk of data breaches as much as possible,” Menno Geelen, General Director at Ajax, told the news outlet.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked