Dutch Police Arrest Hacker Behind Ajax Football Club Breach

Key Takeaways

• Dutch police arrested a 35-year-old man for multiple unauthorized intrusions into Ajax Amsterdam's systems
• The breach exposed personal data of up to 300,000 fans and allowed manipulation of 42,000 season tickets
• The suspect claims he reported vulnerabilities to the club before going to the media, raising questions about responsible disclosure

What Happened

Dutch National Police arrested a 35-year-old man on May 26 in connection with multiple unauthorized intrusions into AFC Ajax's computer systems. The suspect, from the municipality of Buren, allegedly exploited vulnerabilities in the Dutch football club's IT infrastructure earlier this year.

“The suspect is suspected of deliberately unlawful intrusion into Ajax's computer systems several times.”

— Dutch National Police, Press Statement

Ajax first disclosed the breach in late March. At that time, the club said the attacker accessed data belonging to a few hundred individuals. The vulnerabilities also allowed modifying stadium bans for fewer than 20 people and transferring purchased tickets to other accounts.

But the actual scope was far larger.

The Full Scope of the Breach

An RTL Nieuws investigation revealed the security flaws ran much deeper than Ajax initially acknowledged. The same vulnerabilities gave broad access to fan data through exposed APIs and shared access keys.

According to RTL's report, the hacker demonstrated how they could reassign a VIP season ticket in seconds. They also showed access to 42,000 season tickets and the ability to manipulate 538 supporter stadium bans. The demonstration highlighted how thin the security layer was between public-facing systems and sensitive fan data.

Ajax has since patched the vulnerabilities and notified both the Dutch Data Protection Authority and police.

The Responsible Disclosure Debate

This case sits at the uncomfortable intersection of security research and criminal hacking. The suspect claims he tried to follow standard disclosure protocols before going public.

“I found the vulnerabilities in the app and website and, as is good practice, I informed the club. They didn't listen, so I had to go to the media to force them to patch it.”

— Suspect, as reported in RTL Nieuws

Police disagree with this characterization. They argue that bypassing private disclosure channels and accessing sensitive data like stadium bans crosses the line from research into criminal activity, regardless of the stated intent.

The case has triggered broader scrutiny of Ajax's cybersecurity history. Reports suggest the club used NDAs to silence security researchers following a previous breach in 2017. If true, this pattern of suppressing vulnerability reports rather than fixing them adds context to the suspect's decision to involve journalists.

Community Split on the Ethics

Online discussions on Reddit's r/netherlands and r/cybersecurity forums show a divided community. Some defend the suspect's actions as necessary whistleblowing. When organizations ignore private reports, they argue, public disclosure becomes the only way to force fixes.

Others take a harder line. Accessing sensitive personal data and demonstrating the ability to manipulate stadium bans goes beyond proving a vulnerability exists. The suspect could have shown the flaw without touching real user data. That choice, critics argue, makes the criminal charge appropriate.

The debate reflects a larger tension in cybersecurity. Responsible disclosure assumes organizations will act in good faith. When they don't, researchers face a choice between staying silent, going public, or finding other pressure points. None of these options are clean.

Dutch Cybercrime Enforcement on the Rise

The Ajax arrest fits a pattern of increased Dutch enforcement activity. In September 2025, police arrested two teenage boys suspected of spying for Russia using a WiFi sniffer device near Europol and Eurojust offices, as well as the Canadian embassy.

More recently, financial crime investigators (FIOD) arrested two men and seized 800 servers linked to a web hosting company that allegedly enabled cyberattacks, interference operations, and disinformation campaigns. Dutch authorities are clearly ramping up their focus on digital crime.

What This Means for Organizations

The Ajax breach offers a clear lesson for any organization handling customer data. Exposed APIs and shared access keys are basic security failures. They get exploited.

• Audit API endpoints regularly. If you have public-facing systems, assume someone is probing them.
• Take vulnerability reports seriously. Ignoring researchers does not make problems disappear.
• Scope access properly. Season ticket systems should not expose data on 300,000 fans.
• Avoid using NDAs to bury security issues. It creates resentment and invites public disclosure.

The suspect is now in custody. The vulnerabilities are patched. But the underlying questions about disclosure ethics and organizational accountability will persist long after this case concludes.

Frequently Asked Questions

How many people were affected by the Ajax data breach?

Up to 300,000 registered fans had personal details potentially exposed. The attacker also had access to 42,000 season tickets and 538 stadium ban records.

What vulnerabilities did the hacker exploit?

The attacker exploited exposed APIs and shared access keys in Ajax's digital infrastructure, allowing broad access to fan data and ticket systems.

Did the hacker try to report the vulnerabilities first?

The suspect claims he informed Ajax about the security flaws before going to the media. Police argue this does not constitute responsible disclosure because he accessed sensitive data.

Has Ajax fixed the security vulnerabilities?

Yes. Ajax has patched the exploited vulnerabilities and notified the Dutch Data Protection Authority and police about the incident.

What charges does the suspect face?

The suspect faces charges of computer trespassing for deliberately unlawful intrusion into Ajax's computer systems multiple times.

Source: BleepingComputer