GoKawiilDutch professional football club Ajax Amsterdam (AFC Ajax) disclosed that a hacker exploited vulnerabilities in its IT systems and accessed data belonging to a few hundred people.
The security issues also allowed transferring purchased tickets to others and enabled modifications to stadium bans imposed to certain individuals.
The club learned about the security issues and their effect from journalists who were tipped off by the hacker.
AFC Ajax is one of the most successful football clubs, winning the UEFA Champions League four times and with 36 Eredivisie titles, the premier professional football league in the Netherlands.
“We recently discovered that a hacker in the Netherlands unlawfully gained access to parts of our systems. Data was viewed,” AFC Ajax stated.
“What we now know is that only the email addresses of a few hundred people were viewed. In addition, for fewer than 20 people with a stadium ban, their names, email addresses, and dates of birth were accessed.”
RTL journalists who received a tip from the hacker independently verified the vulnerabilities and reported that they were able to transfer season tickets from their holders to arbitrary people, access and modify stadium ban records, and gain broad access to fan data via APIs and shared keys.
In a demonstration, they reassigned a VIP season ticket in seconds. Most worryingly, RTL stated it could manipulate 42,000 season tickets, 538 supporter stadium bans, and view details on over 300,000 accounts.
AFC Ajax says that it has engaged external experts to determine the scope of the incident and identify the root cause, while noting that the exposed data has not been leaked.
Meanwhile, all identified vulnerabilities have been patched, and additional security measures have been introduced.
... continue reading