Ajax silenced hacker who found 2017 data breach

Published: 30 March 2026
Last updated: 31 March 2026
fc ajax player Sean Steur scores goal, yells, blond hair, blue football shirt, stadium, crowd
AFC Ajax Amsterdam player Sean Steur. Marcel van Dorst/EYE4IMAGES/NurPhoto/Getty.

Ajax also faced a data breach in 2017, but tried to hide the incident from the public. For years, the Dutch soccer club was successful, but recently the truth has come to light.

Key takeaways:
  • Ajax covered up a 2017 data breach by forcing ethical hacker Abdoul Rasnab to sign an NDA, silencing him from discussing the ticketing system vulnerability.
  • Rasnab reported intimidation and racist remarks when pressured to sign the agreement in a small room.
  • When Rasnab reported a new breach affecting 300,000+ fans last week, Ajax threatened to press charges instead of thanking him.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The reason we hadn’t heard of the data breach before is that Ajax made Abdoul Rasnab, the ethical hacker who discovered the vulnerability, sign a non-disclosure agreement.

ADVERTISEMENT

At the time, Rasnab managed to gain access to the soccer club’s ticketing system. This allowed him to view personal information of customers, personnel, and prominent players, such as Sjaak Swart.

According to Rasnab, Ajax pressured him to sign a confidentiality agreement not to disclose or discuss the incident. In the agreement, Ajax required that the ethical hacker not access the club’s systems again, unless Ajax or Eventim, the ticket company Ajax collaborated with at the time, asked him to.

“I was sent into a small room. No normal conversation, no appreciation. Instead: transgressive behavior, intimidation, and racist remarks that I will never forget. I was young. I felt pressured. I signed, not because it felt right, but because I thought I had no choice,” Rasnab told BNR in an interview, which has reviewed the 2017 non-disclosure agreement.

Last week, Rasnab disclosed yet another massive data breach at Ajax, exposing personal information of more than 300,000 fans, including people with a stadium ban.

Before going public, the ethical hacker informed Ajax’s management team about the new vulnerability he discovered. But instead of showing appreciation, the club threatened to press charges against him. That’s why Rasnab decided to talk to the press.

Ajax subsequently filed a police report, which was confirmed by the hacker.

Whether the police report will stick remains to be seen. The Public Prosecution Service of the Netherlands has strict policies on when to sue ethical hackers.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

“The Public Prosecution Service considers it important that ethical hackers can continue to search for and report vulnerabilities so that IT systems can be made more secure. If a report is filed regarding the actions of an ethical hacker by an organization that does not have a Coordinated Vulnerability Disclosure (CVD) policy, this is no reason for the Public Prosecution Service to immediately classify the ethical hacker as a suspect,” the Public Prosecution Service says.

Ajax ignored a request to respond and instead referred to a previously made statement.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT