In 2017,soccer club Ajax kept a major data breach under wraps after a report from ethical hacker Abdoul Rasnab. This has emerged from an investigation by Dutch news agency BNR, which reviewed a non-disclosure agreement signed with him at the time and signed by, among others, then-CEO Edwin van der Sar.
In 2017, Rasnab gained access to the Amsterdam club’s ticketing system, which was then operated in collaboration with Eventim. Through that system, he was able to view personal data of fans and employees, including data on club icon Sjaak Swart. After his report, he was invited for a meeting, after which he was required to sign an agreement in which he promised not to disclose anything about the breach and not to access the systems again without permission.
According to Rasnab, that interaction took place under pressure. He claims he felt intimidated and that it was not an equal conversation. Ultimately, he signed the agreement.
In October 2024, Rasnab contacted Ajax again to discuss his previous experiences. The club subsequently apologized and gave him a season ticket and compensation for his earlier report.
This year, Rasnab again discovered vulnerabilities in Ajax’s digital systems. The club has been working with ticket provider Secutix since 2021. According to the hacker, through those systems he was able to view not only season ticket holders’ data, but also internal emails and information regarding stadium bans.
Rasnab reports that he encountered these issues during a broader audit of digital systems at several Eredivisie clubs. The risks at Ajax were reportedly the greatest.
Warning and threat of legal action
When he informed the club about this, he claims he was referred to the earlier non-disclosure agreement. In an email, Ajax reportedly warned him of possible legal action if he attempted to gain access again or approached employees.
Rasnab then went to RTL Nieuws to make the breach public. Ajax subsequently filed a police report against him and reported the data breach to the Dutch Data Protection Authority.
Criminal complaints against ethical hackers are rare. The Public Prosecution Service generally follows the principle that hackers who report vulnerabilities in the public interest are not typically prosecuted, provided they do not go beyond what is necessary.
Ajax declined to comment on the substance of the matter and referred to a previously issued statement.