Dutch National Police arrest 35-year-old from Buren over AFC Ajax breach — 300k+ fan accounts and 42k+ season tickets exposed via misconfigured API access-control and shared keys

Dutch National Police arrested a 35-year-old man from the municipality of Buren on 2026-05-26 on suspicion of computer trespass (computervredebreuk) against AFC Ajax Amsterdam, following an investigation triggered by Ajax's own disclosure in late March 2026 (BleepingComputer, 2026-05-27; The Record, 2026-05-27; NL Times, 2026-05-26; AFC Ajax victim statement, 2026-03-25). Investigators searched the suspect's residence and seized multiple digital storage devices. Ajax's own statement (issued at the time of the original March 2026 disclosure) attributes the breach to an unauthorised actor who accessed Ajax systems and exfiltrated data; BleepingComputer and The Record, citing the Dutch police release, report the underlying API flaw exposed more than 300,000 fan accounts and 42,000+ season-ticket holders (BleepingComputer, 2026-05-27; The Record, 2026-05-27). RTL reporting cited in BleepingComputer notes the attacker demonstrated the ability to reassign a VIP season ticket in seconds and modify stadium-ban records. Ajax filed an Article 33 GDPR notification to the Dutch Autoriteit Persoonsgegevens (AP) and a criminal complaint; the underlying gap has since been patched.

Defender takeaway: the recurring pattern — REST or mobile-app backend with shared API keys and weak per-object authorisation checks — is directly transferable to public-sector citizen portals (tax, transport, identity, healthcare appointment systems). Hunt hypothesis: review application logs for sequential ID enumeration on resource endpoints (/ticket/{id}, /account/{id}) from authenticated low-privilege sessions; alert on cross-account modification requests where the authenticated principal does not own the target object (textbook BOLA / IDOR signal — mapped to T1190 Exploit Public-Facing Application and T1078 Valid Accounts). Hardening: enforce per-object ABAC at the API gateway; rotate any "shared" backend API keys; treat the mobile/REST estate as in-scope for the same threat model as the customer web front.

The IGJ ruling formally found Clinical Diagnostics / NMDL non-conformant with NEN 7510 (Dutch information-security-management standard for healthcare) at the time of the July 2025 ransomware breach (approximately 941,000 patients affected per Computable / daily 2026-05-14, cervical-cancer screening data exposed). First IGJ NEN 7510 non-conformity finding against a third-party diagnostics provider. For Swiss / EU public-sector defenders: this is the regulatory template member-state regulators are likely to deploy under NIS2 essential-entity supplier-due-diligence obligations — Dutch hospitals using the same supplier and other EU member-state regulators with parallel healthcare-ISO standards (NEN 7510, ISO 27799, the Italian AgID guidelines) will pattern-match this ruling for their own supplier oversight (IGJ inspection report; Computable; daily 2026-05-14).

The Dutch Health & Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd, IGJ) issued a public finding on 2026-05-13 concluding that Clinical Diagnostics LCPL BV and NMDL BV (Rijswijk) did not meet the mandatory NEN 7510 information-security standard at the time of their July 2025 ransomware breach, and had not fully remediated the deficiencies as of IGJ's December 2025 follow-up inspection (IGJ, 2026-05-13; native title: "Clinical Diagnostics voldeed niet aan wettelijke norm voor informatiebeveiliging" — "Clinical Diagnostics did not meet the statutory information-security standard"). NEN 7510 is the Dutch statutory information-security baseline for healthcare organisations under the Wabvpz, structurally aligned with ISO/IEC 27001 but extended for health-data obligations; non-compliance is independently actionable by multiple regulators.

IGJ's two named failures are foundational rather than technical: (1) no independent audit of the laboratory's information security had ever been performed, and (2) the organisation had not periodically assessed its processing risks, leaving it unable to determine which controls were necessary. The July 2025 breach — Computable's prior reporting attributes it to the Nova ransomware group — exposed approximately 941,000 patients' personal and medical records, including cervical-cancer screening results processed for the population-screening programme Bevolkingsonderzoek Nederland (Computable, 2026-05-13). IGJ has no fining power and has demanded short-term independent NEN 7510 certification; Autoriteit Persoonsgegevens (Dutch DPA), whose GDPR enforcement carries fines, is running a parallel investigation. IGJ also signalled sector-wide enforcement intent by publicly calling for all healthcare providers to demonstrate independent certification — a leading indicator of broader inspection cadence.

For a Swiss SOC the parallel is direct: NEN 7510 is the regulatory analogue of the EPDG (Bundesgesetz über das elektronische Patientendossier) security profile, and the two specific failures — absence of third-party audit, absence of periodic risk assessment — are the same hygiene-baseline gaps Swiss healthcare providers face under cantonal supervision. The breach scale (941k records, mass-screening data) is the proximate consequence of those structural gaps; the operationally useful read for defenders is detection of NEN-7510-style baseline gaps via third-party assessment, not signature hunting.

Canvas / Instructure is the cleanest example of a campaign chain that accumulated meaningfully different state every day of 2026-W19, and the one a SOC manager carries into Monday morning with an extortion deadline two days out. Day-by-day: 2026-05-06 — Instructure confirmed names, email addresses, student ID numbers, and user-to-user messages accessed; detected API-tool disruption ~2026-04-30; revoked privileged credentials and access tokens; passwords / financial data / government IDs out of scope; ShinyHunters claimed 275 M records across ~9,000 institutions including EU and APAC (BleepingComputer, 2026-05-04 · TechCrunch, 2026-05-05 · SecurityWeek, 2026-05-04 · daily 2026-05-06). 2026-05-07 — individual universities (University of Nevada Reno, University of Pennsylvania ~300,000+ users) began notifying students and staff directly (University of Nevada Reno president message, 2026-05-06 · daily 2026-05-07 UPDATE). 2026-05-08 — SURF (Dutch NREN) confirmed 44 Dutch institutions among victims; attacker posted portal defacements; 2026-05-12 extortion deadline set; Canvas taken offline for emergency patching on 2026-05-07 (NL Times — Canvas hack: student data from 44 Dutch universities and schools taken · The Next Web — largest education data breach in history · daily 2026-05-08 UPDATE). 2026-05-09 — three major UK universities (Oxford, Cambridge, Liverpool — Liverpool notified ICO under GDPR Article 33) issued public statements; UNL confirmed 44 Dutch member institutions; 3 GB sample dump on 2026-05-07 contained course-IDs, student emails, assignment metadata, grade records across four UK institutions; Instructure stated the breach vector was a compromised integration service account for a third-party LTI tool provider (not Canvas core infrastructure). The ShinyHunters / WorldLeaks operator-family attribution and the specific extortion-amount figure carried in the daily UPDATE trace to sources not re-fetched at weekly composition time; readers should consult the daily UPDATE for the citation chain (daily 2026-05-09 UPDATE). 2026-05-10 — ShinyHunters posted a second intrusion notice 2026-05-08 asserting Canvas retained unpatched vulnerabilities permitting re-entry despite the May 8 patches; Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation; seven Dutch universities (VU Amsterdam, University of Amsterdam, Erasmus Rotterdam, Tilburg, Eindhoven TU/e, Maastricht, Twente) executed emergency Canvas disconnections on/before 2026-05-09; Dutch DPA (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08 · daily 2026-05-10 UPDATE).

State at week-end: 2026-05-12 extortion deadline is Tuesday (two days out); no ransom paid as of 2026-05-09 06:00 UTC; if the second-intrusion claim verifies, Instructure's remediation was incomplete and the data-release threat is materially more credible. European universities running Canvas should treat credential-stuffing risk on stolen student / staff emails as active; audit third-party LTI integrations and revoke service accounts for unused integrations; watch for follow-on phishing campaigns referencing course content. GDPR Article 33/34 notification clocks run from the date Instructure provided scope confirmation to the institution.

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): ShinyHunters posted a second intrusion notice around 2026-05-08 asserting Instructure's Canvas LMS retained unpatched vulnerabilities allowing re-entry despite the company's earlier security-patch deployment (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08). Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation across its customer base.

Seven Dutch universities — VU Amsterdam, University of Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology (TU/e), Maastricht University, and University of Twente — executed emergency Canvas disconnections on or before 2026-05-09 after the attackers claimed continued active access. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam.

The 2026-05-12 extortion deadline remains active — two days from publication. ShinyHunters's original claim cited 275 million records (names, email addresses, student IDs, private messages) across thousands of educational institutions worldwide (Techzine EU, 2026-05-08); if the second-intrusion claim is verified, Instructure's remediation was incomplete and the data-release threat is materially more credible. Defenders at European universities using Canvas should treat credential-stuffing risk on stolen student / staff emails as active, audit third-party LTI integrations, and watch for follow-on phishing campaigns referencing course content.

UPDATE (originally covered 2026-05-08):

As of the window close (2026-05-09 06:00 UTC), no ransom payment has been made and no further data dump has been published. Three major UK universities issued public statements: University of Oxford confirmed it is working with Instructure and the NCSC-UK; University of Cambridge issued a statement acknowledging that "student and staff data may have been affected" and referred staff to the National Cyber Security Centre guidance; University of Liverpool confirmed it had notified the Information Commissioner's Office under Article 33 GDPR and is conducting a forensic investigation. Universiteiten van Nederland (UNL) confirmed that 44 member institutions are potentially affected, representing all Dutch research universities and applied science universities; the Dutch DPA (Autoriteit Persoonsgegevens) has opened a preliminary investigation.

The threat actor (WorldLeaks) set a 2026-05-12 payment deadline; the extortion amount was stated as €3.2 million. WorldLeaks previously published a 3 GB sample dataset on 2026-05-07 containing course-IDs, student email addresses, assignment metadata, and grade records across four UK institutions. No passwords, payment data, or national identification numbers were present in the sample. Instructure issued a public statement on 2026-05-08 confirming the breach vector was a compromised integration service account for a third-party LTI tool provider (not Canvas core infrastructure), and that the issue was isolated. Instructure stated it notified affected institutions on 2026-05-01 and has been working with law enforcement.

Eurail began issuing breach notifications to 308 777 customers in late April 2026, revealing that an attacker accessed personal data — including passport numbers, IBANs, and DiscoverEU pass details — in a December 2025 incident. The three-month gap between discovery and notification is under review by the Autoriteit Persoonsgegevens (Dutch DPA) and the European Data Protection Supervisor (EDPS), which holds jurisdiction over EU institutional data processing. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness of a breach. The exposed dataset covers travellers from EU member states who registered DiscoverEU passes; Swiss nationals who applied through bilateral arrangement may also be affected. Affected individuals should monitor for identity fraud and, where banking regulations permit, consider IBAN replacement.

(First covered 2026-05-06.) The Instructure/Canvas breach has expanded significantly in scope. The threat actor now claims access affecting 330 institutions across six countries, threatening to publish 16 million student and staff records. SURF (the Dutch National Research and Education Network) has confirmed 44 Dutch institutions among the victims. The attacker posted portal defacements at multiple universities and established a 2026-05-12 extortion deadline for ransom payment. Canvas services were taken offline again on 2026-05-07 for emergency patching. European DPAs in the Netherlands and Germany have opened preliminary inquiries into notification timing. Institutions using Canvas should assess GDPR Article 33/34 breach notification obligations before the May 12 deadline.