Ajax suffers second major data breach, sparking legal battle with ethical hacker
Ajax has faced another major data breach, this time exposing sensitive internal information and fan details. The incident came to light in October 2024 after ethical hacker Abdoul Rasnab uncovered vulnerabilities in the club's digital systems. Unlike his previous findings in 2017, this breach has led to legal threats and a police report filed by the club. The first breach occurred in 2017, when Rasnab accessed Ajax's ticketing system. He found he could view personal data belonging to fans, employees, and even club legend Sjaak Swart. After reporting the issue, Ajax required him to sign a non-disclosure agreement, preventing him from discussing the incident further.
Years later, in 2024, Rasnab discovered new flaws in Ajax's systems, operated by Secutix. This time, the exposed data included not just season ticket holders' details but also internal emails and records of stadium bans. He alerted the club, but instead of cooperation, he faced legal threats due to the earlier agreement.
Fearing retaliation, Rasnab turned to RTL Nieuws to make the breach public. Ajax then confirmed the leak, stating they had patched the vulnerabilities, enhanced security, and reported the matter to the Dutch Data Protection Authority. The club also filed a police complaint against Rasnab, though they refused to comment further on the specifics.
Criminal complaints against ethical hackers remain uncommon, as many operate in the public interest. However, Ajax's response highlights the tensions between security researchers and organisations when legal agreements restrict transparency. The 2024 breach has forced Ajax to tighten its digital defences and report the incident to authorities. Rasnab's actions, while intended to expose weaknesses, have resulted in legal consequences due to prior agreements. The club has not announced any additional steps beyond the initial measures taken after the leak was revealed.
