HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Hack of Ajax Football Club App Exposes Personal Data of 300,000 Fans

Dutch authorities arrested a suspect after a vulnerability in Ajax’s official mobile app allowed unauthorized access to the personal data of roughly 300 000 supporters. The breach highlights critical third‑party app security gaps for sports and entertainment organizations.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 bitdefender.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bitdefender.com

Hack of Ajax Football Club App Exposes Personal Data of 300,000 Fans

What Happened — Dutch police arrested a 35‑year‑old suspect after he repeatedly accessed Ajax’s internal IT systems via a vulnerability in the club’s official mobile app. The breach exposed personal details—including email addresses and ticket information—of roughly 300 000 registered supporters, far exceeding the club’s initial estimate of a few hundred victims.

Why It Matters for TPRM

  • Large‑scale personal data exposure creates phishing and identity‑theft risks for end‑users and can damage a vendor’s reputation.
  • The incident stemmed from a weakness in a consumer‑facing application, highlighting the need for rigorous third‑party app security assessments.
  • Supply‑chain implications arise if the compromised data is leveraged against partners, sponsors, or employees of the club.

Who Is Affected — Sports & entertainment organizations, fan‑engagement platforms, ticketing and CRM providers, and any downstream partners handling supporter data.

Recommended Actions

  • Review contracts with the club and any associated app providers for security clauses and breach‑notification obligations.
  • Request evidence of the post‑incident remediation (e.g., penetration‑test reports, code‑review findings).
  • Conduct a risk assessment of any data shared with the club (email lists, ticketing data) and monitor for phishing campaigns targeting supporters.
  • Update third‑party risk questionnaires to include app‑security testing and secure development lifecycle (SDLC) requirements.

Technical Notes — The attacker exploited a misconfiguration/vulnerability in the Ajax mobile application that allowed unauthorized read/write access to supporter records and ticket‑ban lists. No specific CVE was disclosed. Exfiltrated data included email addresses, ticket purchase history, and ban‑list status. Source: Bitdefender Blog – Police arrest hack of Ajax football

📰 Original Source
https://www.bitdefender.com/en-us/blog/hotforsecurity/police-arrest-hack-ajax-football

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →