Dutch police have arrested a 35-year-old man suspected of hacking into the computer systems of Amsterdam football giant Ajax, after the personal data of hundreds of thousands of supporters was put at risk.
According to a Dutch police statement, the unnamed suspect was arrested on Tuesday in Buren, on suspicion of repeatedly gaining unauthorised access to Ajax’s IT systems.
When news of a possible security breach at Ajax first broke earlier this year, the club was keen to play down its scale – acknowledging that an outsider had gained unauthorised access to data, including supporters’ email addresses, but suggesting that only a few hundred fans had been affected.
However, it quickly emerged that the claim of a “few hundred” potential victims was wide of the mark, as it was reported that the incident could have exposed the personal details of around 300,000 registered Ajax supporters.
In short, the number of supporters whose details were exposed was around 1000 times larger than the club’s initial estimate.
The problem was linked to security weakness in the official Ajax app – used by fans to access their tickets, and allowing an attacker to reportedly view fans’ personal details, steal and resell match and season tickets, and even view or alter information about the roughly 500 people banned from attending matches.
For that last capability to fall into the hands of unauthorised parties was particularly troubling. It transpired that someone could silently remove individuals from the ban list (which would include those banned due to hooliganism)- or add the names of innocent people to it.
As Bart Schermer, the professor of privacy and cybercrime at Leiden University, pointed out, a prospective employer might think twice about hiring someone banned from attending football matches – leading to the possibility that the vulnerability in Ajax’s app could be weaponised against individuals.
Ajax says that it has worked with external experts to patch the vulnerabilities, and has strengthened its security. Which is obviously good news, but little relief for those whose data might have already been accessed.
It is easy to imagine that just a database of email addresses linked to football fans could be attractive to scammers who might launch phishing attacks posing as ticket offers, refunds, or special promotions to supporters.