Ajax football club hack exposed fan data, enabled ticket hijack
Dutch professional football club Ajax Amsterdam (AFC Ajax) disclosed that a hacker exploited vulnerabilities in its IT systems and accessed data belonging to a few hundred people.
The security issues also allowed transferring purchased tickets to others and enabled modifications to stadium bans imposed to certain individuals.
The club learned about the security issues and their effect from journalists who were tipped off by the hacker.
AFC Ajax is one of the most successful football clubs, winning the UEFA Champions League four times and with 36 Eredivisie titles, the premier professional football league in the Netherlands.
“We recently discovered that a hacker in the Netherlands unlawfully gained access to parts of our systems. Data was viewed,” AFC Ajax stated.
“What we now know is that only the email addresses of a few hundred people were viewed. In addition, for fewer than 20 people with a stadium ban, their names, email addresses, and dates of birth were accessed.”
RTL journalists who received a tip from the hacker independently verified the vulnerabilities and reported that they were able to transfer season tickets from their holders to arbitrary people, access and modify stadium ban records, and gain broad access to fan data via APIs and shared keys.
In a demonstration, they reassigned a VIP season ticket in seconds. Most worryingly, RTL stated it could manipulate 42,000 season tickets, 538 supporter stadium bans, and view details on over 300,000 accounts.
AFC Ajax says that it has engaged external experts to determine the scope of the incident and identify the root cause, while noting that the exposed data has not been leaked.
Meanwhile, all identified vulnerabilities have been patched, and additional security measures have been introduced.
The Dutch Data Protection authority, as well as the police, have also been notified accordingly.
RTL’s investigation was clearly non-malicious. Likewise, the attacker’s limited access and decision to disclose the flaws via the media, rather than exploit them for profit or extortion, suggest the vulnerabilities were not abused at scale.
However, it remains unclear whether this was the first time these weaknesses in Ajax’s systems were discovered or exploited.
Ajax fans who have registered with the club’s systems or purchased season tickets should remain vigilant for suspicious communications, especially those impersonating or claiming to come from the AFC Ajax club.
source: BleepingComputer
