The Ajax logo outside of the Johan Cruijff ArenA in Amsterdam. 23 March 2019- Credit: Michael715 / DepositPhotos - License: DepositPhotos

Man, 35, arrested over hack targeting Ajax app and fan data

A 35-year-old man from the municipality of Buren was arrested on Tuesday morning as part of an investigation into alleged hacking activities targeting AFC Ajax. Authorities suspect he illegally entered the club’s computer systems on several occasions in early 2026 without authorization, BNR reported.

The security breach was uncovered in March 2026 after an investigation by RTL Nieuws. According to the report, the suspected hacker had informed journalists about weaknesses in the club’s digital systems.

Through security flaws in the Ajax app, it was potentially possible to access private data belonging to more than 300,000 registered Ajax fans.

Authorities say the hacker gained access to information linked to more than 42,000 season tickets. The security flaw could have allowed those tickets to be digitally reassigned or disabled entirely.

The breach also revealed information on 538 individuals subject to stadium bans. Investigators said the system vulnerability could even have been used to lift those bans without authorization.

The suspect has portrayed his actions as responsible disclosure after exposing the vulnerabilities through the media, but police say he does not meet the standard of an ethical hacker.

According to guidelines from the Public Prosecution Service, security flaws should be reported immediately and solely to the organization involved. Investigators say the man repeatedly accessed systems illegally, while Ajax only became aware of the issue after media coverage, prompting the club to file a criminal complaint.

Police confiscated multiple digital storage devices, such as computers and hard drives, during a search of the suspect’s residence in Buren as part of the ongoing investigation.

After uncovering the breach, Ajax promptly notified the Dutch Data Protection Authority about the incident. The club says the investigation so far shows that only the email addresses of several hundred individuals were accessed, as well as the names and birth dates of a limited number of people subject to stadium bans.

Investigators are continuing to examine whether any data was, in fact, stolen or shared by the suspect. Ajax has meanwhile closed the security gap and tightened its cybersecurity measures.