293/69 Friday, May 29, 2026
The Dutch National Police arrested a 35-year-old man suspected of being involved in multiple unauthorized intrusions into the computer systems of Ajax Amsterdam, also known as AFC Ajax, earlier in 2026. According to the police, the suspect unlawfully accessed the club’s computer systems several times. After the incident was reported, investigators launched an investigation that eventually led to the identification of the suspect.
AFC Ajax previously disclosed the incident in late March, stating that the attacker had exploited vulnerabilities in the club’s IT systems to access the personal data of several hundred individuals. The vulnerability could also have been used to modify stadium bans imposed on fewer than 20 individuals and transfer purchased tickets to other people. According to a report by RTL, the same vulnerability also allowed access to fan data through an API and a shared key, with the attacker demonstrating the ability to transfer VIP season ticket rights within seconds.
The report further stated that the attacker was able to demonstrate the possibility of modifying stadium ban records for 538 fans, managing approximately 42,000 season tickets, and viewing details of more than 300,000 user accounts. Ajax has since fixed the vulnerability exploited in the attack and reported the incident to the Dutch Data Protection Authority and the police for further action.