AFC Ajax Data Breach Exposes Fan Data and Ticketing Vulnerabilities

Severity: High (Score: 64.5)

Sources: Universiteitleiden.Nl, Theregister, Bleepingcomputer, Feeds2.Feedburner

Summary

AFC Ajax, the Dutch football club, reported a data breach where a hacker exploited vulnerabilities in its IT systems, accessing email addresses of a few hundred supporters and personal data of fewer than 20 individuals with stadium bans. The attack leveraged exposed APIs and shared access keys, allowing unauthorized ticket transfers and modifications to stadium bans. RTL News demonstrated the ease of exploiting these vulnerabilities, including transferring a VIP ticket from a club director's account. The breach potentially affected over 300,000 registered supporters and exposed details of 42,000 season tickets. Ajax has patched the vulnerabilities and notified the Dutch Data Protection Authority and police. The club stated that the exposed data has not been leaked, but fans are advised to remain vigilant against suspicious communications. The incident raises concerns about the security of personal data and the potential for misuse. Key Points: • A hacker accessed personal data of hundreds of Ajax supporters and altered ticketing information. • The breach involved vulnerabilities in Ajax's APIs and shared digital keys, allowing unauthorized actions. • Ajax has patched the vulnerabilities and notified authorities, but fans should remain cautious.

Key Entities

• Data Breach (attack_type)
• AFC Ajax (company)
• Ajax (company)
• Netherlands (country)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• T1565 - Data Manipulation (mitre_attack)