Dutch detectives arrested a 35-year-old man from Buren on May 26 for repeatedly accessing AFC Ajax’s computer systems without authorization, the Dutch National Police announced that morning. What the intrusion actually exposed is the bigger story.
The vulnerabilities were basic: unauthenticated API endpoints and shared access keys baked into Ajax’s app and website. Those two flaws let an attacker access private data for more than 300,000 registered fans, steal or disable more than 42,000 season tickets, and modify active stadium ban records for 538 supporters. Ajax disclosed the breach on March 25.
The case has a twist: the suspect didn’t sell the data or leak it. He went to an RTL journalist instead, who demonstrated the vulnerabilities live, transferring tickets and lifting bans, before Ajax had patched anything. Dutch police aren’t treating that as ethical behavior. Dutch police made clear the arrest was not a formality. The arrest makes clear that going to media with live exploit access, rather than to the company or a Dutch disclosure channel, is still unauthorized intrusion.
For operators running consumer-facing apps: unauthenticated endpoints and shared API keys aren’t a config oversight, they’re a legal exposure. Implementing OAuth and rotating secrets is an engineering sprint. Notifying a national data protection authority and cooperating with a criminal investigation isn’t. Ajax patched everything and reported to both the DPA and Dutch police after the fact. Front-load that work.
Nathan Zakhary