Dutch police have arrested a 35-year-old man suspected of hacking the digital systems of AFC Ajax and exposing security flaws that potentially affected hundreds of thousands of football fans.
Authorities arrested the suspect Tuesday morning in the municipality of Buren following an investigation into unauthorized access to Ajax systems earlier this year. Investigators say the man illegally entered the club’s infrastructure multiple times during early 2026 without permission.
The case emerged publicly in March after Dutch media outlets RTL Nieuws and BNR reported major security weaknesses affecting Ajax’s app and ticketing systems. According to those reports, the vulnerabilities could have exposed private data belonging to more than 300,000 registered Ajax supporters.
Investigators said the attacker gained access to information connected to over 42,000 season tickets. The flaws allegedly made it possible to transfer tickets to other accounts or disable them entirely without authorization. The vulnerabilities also exposed details linked to 538 individuals subject to stadium bans, with reports suggesting those bans could potentially have been modified or removed.
Ajax confirmed the breach in March and stated that unauthorized access had occurred within parts of its systems. The club said external cybersecurity experts were brought in immediately to investigate the incident, patch vulnerabilities, and strengthen security protections. Ajax also notified the Dutch Data Protection Authority and filed a police complaint.
The suspect reportedly claimed his actions amounted to responsible disclosure after informing journalists about the security flaws. However, Dutch authorities argue the conduct does not qualify as ethical hacking because the systems were repeatedly accessed without authorization, and the vulnerabilities were not first disclosed privately to Ajax.
Under Dutch responsible disclosure guidelines, ethical hackers are generally expected to report vulnerabilities directly to affected organizations without exploiting systems beyond what is necessary to demonstrate the issue. Prosecutors say Ajax only became aware of the extent of the vulnerabilities after media coverage emerged.
Police confiscated computers, hard drives, and other digital storage devices during a search of the suspect’s home as part of the ongoing investigation. Authorities are now examining whether any stolen data was copied, distributed, or used beyond demonstrating the vulnerabilities.
Ajax stated that, based on current findings, only a limited amount of personal data was confirmed as accessed, including email addresses belonging to several hundred individuals and names and birth dates tied to fewer than 20 people with stadium bans. The club said there is currently no evidence that the data was further distributed.