Hack of Ajax Football Club App Exposes Personal Data of 300,000 Fans
What Happened — Dutch police arrested a 35‑year‑old suspect after he repeatedly accessed Ajax’s internal IT systems via a vulnerability in the club’s official mobile app. The breach exposed personal details—including email addresses and ticket information—of roughly 300 000 registered supporters, far exceeding the club’s initial estimate of a few hundred victims.
Why It Matters for TPRM —
- Large‑scale personal data exposure creates phishing and identity‑theft risks for end‑users and can damage a vendor’s reputation.
- The incident stemmed from a weakness in a consumer‑facing application, highlighting the need for rigorous third‑party app security assessments.
- Supply‑chain implications arise if the compromised data is leveraged against partners, sponsors, or employees of the club.
Who Is Affected — Sports & entertainment organizations, fan‑engagement platforms, ticketing and CRM providers, and any downstream partners handling supporter data.
Recommended Actions —
- Review contracts with the club and any associated app providers for security clauses and breach‑notification obligations.
- Request evidence of the post‑incident remediation (e.g., penetration‑test reports, code‑review findings).
- Conduct a risk assessment of any data shared with the club (email lists, ticketing data) and monitor for phishing campaigns targeting supporters.
- Update third‑party risk questionnaires to include app‑security testing and secure development lifecycle (SDLC) requirements.
Technical Notes — The attacker exploited a misconfiguration/vulnerability in the Ajax mobile application that allowed unauthorized read/write access to supporter records and ticket‑ban lists. No specific CVE was disclosed. Exfiltrated data included email addresses, ticket purchase history, and ban‑list status. Source: Bitdefender Blog – Police arrest hack of Ajax football