NEWS

AFC Ajax drops ball as flaws let hackers play admin with tickets and bans

Vulns in Dutch football club's systems didn't just expose data – they let outsiders play with accounts, and even lift stadium bans Dutch football giant AFC Ajax has admitted to a data breach after an attacker gained access to its internal systems, in an incident that looks less like a stray pass…

By The Register
AFC Ajax drops ball as flaws let hackers play admin with tickets and bans
AFC Ajax drops ball as flaws let hackers play admin with tickets and bans Photo: The Register

Vulns in Dutch football club's systems didn't just expose data – they let outsiders play with accounts, and even lift stadium bans
Dutch football giant AFC Ajax has admitted to a data breach after an attacker gained access to its internal systems, in an incident that looks less like a stray pass and more like the gates left wide open.

The club says a "hacker in the Netherlands" exploited vulnerabilities to access parts of its systems, viewing email addresses of a few hundred people and limited personal data tied to fewer than 20 supporters with stadium bans.

Ajax says it patched the holes, notified regulators, and has "no indication" the data has spread further.

That's the scoreboard Ajax wants to show.

The match report from RTL News looks more like a game where the defense stayed in the locker room.

The flaws potentially exposed data tied to more than 300,000 registered supporters and put upwards of 42,000 season tickets in play – tickets that could be stolen or simply vanish from an account with little the ticketholder could do about it.

RTL also found details of more than 500 supporters with stadium bans sitting there for the taking, including the reasons behind them – from scuffles with stewards to drug-related incidents.

Not exactly the sort of thing you'd want easily searchable.

As one affected individual, a local government worker, put it: "This could harm my career."
Ajax's own statement concedes that a journalist demonstrated the ability to transfer tickets and modify bans, but offered little detail on how such a wide-open setup made it into production in the first place.

RTL's reporting points to a more basic problem: systems that trusted requests they shouldn't have, handing out the same digital keys to everyone, and effectively letting anyone call the shots.

Ajax appears keen to keep the scoreline respectable, focusing on the limited number of confirmed data exposures.

But when outsiders can not only see the data but also pull the levers behind it, this looks less like a narrow breach and more like an own goal scored with no one in the net.

®

Related Stories

Source: This article was originally published by The Register

Read Full Original Article →

Share this article

Comments (0)

No comments yet. Be the first to comment!

Leave a Comment

Maximum 2000 characters