Dutch police arrested a 35-year-old man on May 26, 2026, in connection with a series of unauthorized intrusions into AFC Ajax’s digital infrastructure that exposed the personal data of hundreds of thousands of supporters. The suspect, whose name has not been publicly disclosed, was apprehended in the municipality of Buren in Gelderland province after investigators seized multiple digital storage devices from his home. The case has reignited a sharp debate within the security community over where ethical vulnerability research ends and criminal computer trespass begins.
// 01 Ajax Data Breach: What the Attacker Could Access
The scope of what was accessible inside Ajax’s systems stands in stark contrast to what the club initially told the public. Ajax’s official statement claimed only email addresses belonging to “a few hundred people” were viewed, with fewer than 20 individuals having names, email addresses, and dates of birth accessed.
Independent reporting by RTL Nieuws told a very different story. Their investigation, published on March 25, 2026, found that data belonging to more than 300,000 registered Ajax fans was accessible through the compromised systems. Beyond passive data exposure, the breach extended into operational territory: records for over 42,000 season ticket holders were not merely viewable but transferable — meaning an attacker could reassign tickets to different accounts. Most critically, a database of 538 supporters currently subject to active stadium bans was accessible and modifiable, raising serious public safety concerns about the integrity of crowd-control measures at one of Europe’s largest football venues.
The attacker accessed the systems “multiple times” beginning in early 2026. Rather than reporting his findings to Ajax directly, the suspect contacted RTL Nieuws journalist Daniël Verlaan, who then conducted independent verification of the vulnerabilities before publication. Ajax learned the full scope of the intrusions not from the attacker, not from internal detection — but from reading the news.
// 02 The API Vulnerability: Season Ticket Theft Made Trivially Easy
The root cause traced back to exposed and poorly secured API endpoints — the programmatic interfaces (API stands for Application Programming Interface — a URL-based address an application calls to retrieve or submit data) that allow Ajax’s mobile app, website, and third-party ticketing services to communicate with backend servers. Shared access keys were insufficiently protected, and data packets flowing between client applications and backend services could be intercepted and modified by an attacker positioned to observe that traffic.
When authentication controls on API endpoints are weak or improperly scoped, any caller who can reach the endpoint and supply a valid-looking credential can perform operations they were never meant to perform — reading other users’ records, or worse, modifying them.
The clearest demonstration of severity: RTL journalist Verlaan, using the vulnerability information provided by the suspect, was able to reassign a VIP season ticket belonging to Ajax director Menno Geelen to a different account within seconds. No specialized exploit code was required. The misconfiguration alone was sufficient.
%% Ajax hack, arrest, and responsible disclosure dispute — March–May 2026
sequenceDiagram
autonumber
participant A as Attacker<br/>(35-year-old, Buren NL)
participant AX as Ajax APIs & Systems<br/>(ticketing, fan database)
participant RTL as RTL Nieuws<br/>(Journalist Daniël Verlaan)
participant AP as AFC Ajax<br/>(Organisation)
participant P as Dutch National Police
A->>AX: Early 2026 — exploit exposed API endpoints<br/>shared access keys; data accessible, tickets transferable
Note over A,AX: 300K+ fan records · 42K season tickets<br/>538 stadium bans viewable & modifiable
A->>AX: Re-access systems multiple times
Note over AX: Verlaan reassigns Menno Geelen<br/>VIP ticket in seconds using PoC
A->>RTL: Tips journalist directly — does NOT notify Ajax
RTL->>RTL: Independently verifies vulnerabilities
RTL->>AP: Publishes investigation (March 25, 2026)
Note over AP: Ajax learns full breach scope from media<br/>— not from the attacker
AP->>P: Files criminal complaint with Dutch National Police
P->>P: Criminal investigation department opens case;<br/>traces intrusion to Buren resident
P->>A: May 26 2026 — arrest; digital storage devices seized
Note over P,A: Charged: intentional, unlawful computer access<br/>"multiple times" — computer trespass under Dutch law
// 03 Responsible Disclosure or Computer Trespass? The Legal Line
This is where the case becomes genuinely complex — and where it matters most to the security community.
The suspect’s position is that his actions constituted responsible disclosure: he identified serious vulnerabilities affecting hundreds of thousands of people and brought them to light in the public interest. It is a framing many security researchers would find sympathetic on its face.
Dutch law and prosecution guidelines draw a precise line. Under the Dutch Public Prosecution Service’s framework for CVD (Coordinated Vulnerability Disclosure — a structured process in which a researcher privately notifies a vendor of a discovered flaw, agrees on a remediation timeline, and discloses publicly only after a fix is deployed or the timeline expires), a researcher who discovers a security flaw and wishes to avoid criminal liability must report it immediately and exclusively to the affected organization. The guidelines are explicit: going to the media first — or instead — disqualifies the researcher from the legal protections that CVD affords.
In this case, Ajax was never directly informed by the attacker. The suspect went to a journalist. According to Dutch police, that single decision collapses the ethical hacker defense entirely under Dutch law, regardless of the suspect’s stated motivations. There were no ransom demands, and no confirmed financial motive — but under Dutch criminal code, unauthorized computer access is prosecuted on the basis of the intrusion itself, not the intent that followed.
The formal charge: “intentionally and unlawfully entering Ajax’s computer systems multiple times” — computer trespass under Dutch statute.
The 90-day disclosure norm popularized by Google Project Zero exists precisely because organizations without external pressure sometimes patch nothing. But even researchers who disagree with an organization’s responsiveness are legally bound to start with the organization, not bypass it.
// 04 What Ajax Did — and Didn’t — Tell the Public
After RTL Nieuws published its investigation on March 25, 2026, Ajax filed a criminal complaint and engaged external cybersecurity experts to assess and remediate the vulnerabilities. The club notified the Dutch Data Protection Authority (Autoriteit Persoonsgegevens — the Netherlands’ GDPR supervisory body) as required by law. Ajax also sent warning emails to ticket holders advising vigilance against phishing attempts.
What Ajax did not volunteer was the scale of exposure its own fans faced. The club’s public communications described a breach affecting hundreds of email addresses — a characterization that measured against RTL’s verified findings of 300,000+ accessible records and 42,000+ transferable season tickets was, at minimum, incomplete.
// 05 What Affected Fans Should Do Right Now
- Change your Ajax account password immediately and ensure it is not reused on any other service. Use a unique, randomly generated credential stored in a password manager.
- Enable two-factor authentication (2FA) on your Ajax account and on any email account linked to it. Even without confirmed credential theft, data exposure events frequently precede credential-stuffing attacks.
- Watch for targeted phishing. Attackers with names, email addresses, and dates of birth can craft convincing impersonation emails referencing your correct details. Be suspicious of any communication claiming to be from Ajax, your bank, or Dutch authorities that requests account action.
- Verify your season ticket status. Log in and confirm that your seat assignment, linked personal details, and payment information are unchanged. Report any discrepancy to Ajax through official channels only.
- File a complaint with the Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl if you believe your personal data was misused. The Dutch DPA has supervisory authority over how Ajax handles this incident under GDPR.
// 06 Background: The Responsible Disclosure Debate in Security
Security researchers routinely discover vulnerabilities in systems affecting large numbers of people. When an affected organization is slow to respond, minimizes the issue, or has a history of ignoring researcher contact, the pressure to go public — or to engage media as a lever — is real. That pressure is why structured CVD processes include defined escalation paths: if a vendor is unresponsive after reasonable private notification, public disclosure becomes a legitimate last resort, not a first move.
The Ajax case is notable because the organization was never given the opportunity to respond at all. From the prosecution’s perspective, this places the suspect outside CVD protections regardless of his intent. From a broader policy perspective, the case raises a legitimate question about whether CVD frameworks create sufficient incentive for researchers to engage with large organizations that may deprioritize external reports.
Dutch CVD guidelines are among the more clearly articulated in Europe — they offer real legal protection to researchers who follow the process. The Ajax case will likely serve as a reference point in those guidelines’ future development, particularly regarding the role of journalism in vulnerability disclosure.
// 07 Conclusion
The arrest closes one chapter while opening another. The technical facts are not seriously disputed: Ajax’s API infrastructure was misconfigured badly enough that a journalist could reassign a director’s VIP season ticket in seconds, and 300,000 fans’ personal records were within reach. Ajax has remediated the vulnerabilities and notified the Dutch DPA.
What the case makes unavoidably visible is that even well-intentioned security research, if not directed to the affected organization first, carries criminal liability under Dutch law. Security professionals and independent researchers who discover vulnerabilities in systems they are not authorized to test should treat direct private notification to the organization — not media, not Twitter, not a bug bounty on a competing platform — as the legally required first step.
For any query contact us at contact@cipherssecurity.com