A team of alleged hackers managed to access one of the FIA’s information databases.
The Fédération Internationale de l’Automobile (FIA) has confirmed a security breach in one of its driver information databases, allowing “hackers” to access Max Verstappen’s personal information in just 10 minutes.
Formula 1 drivers compete under a super license, but registration on the FIA Driver Categorization website allows them to participate in sports car events. A group of bloggers revealed on X that they accessed the system, which contains information on any driver who has participated in such events throughout their career.
Among the Formula 1 drivers listed in the system with experience in this area are Verstappen, Lando Norris, Fernando Alonso, and Nico Hülkenberg.
Gal Nagli, whose profile on X identifies him as a hacker and bug bounty hunter, along with blogger Ian Carroll, explained through a series of posts how they managed to access the portal simply by requesting to be administrators.
Verstappen’s profile, who recently debuted in endurance sports car races at Nürburgring, was an immediate focus point.
Carroll and Nagli were able to find the “passport, personal contact information, correspondence with the FIA, and license documents” of the four-time world champion. They also found “internal communications”, “committee discussions on driver performance, private evaluations, and confidential decision-making processes”.
We stopped the tests after seeing that it was possible to access Max Verstappen’s passport, curriculum vitae, license, password hash, and personal information. This data from all F1 drivers could be accessed with a categorization, along with sensitive information about the FIA’s internal operations.
Ian Carroll
Subsequently, Carroll and Nagli contacted the FIA to alert the organization about the failures in the system.
Carroll added: “We did not access any passport or sensitive information and all data has been deleted”.
The FIA has confirmed that the breach has already been resolved. An FIA spokesperson stated that the organization took immediate action to secure the drivers’ data and notified the relevant data protection authorities, as well as the few affected drivers. No other FIA digital platform was affected in this incident.
The FIA has invested significantly in cybersecurity and resilience measures across its digital infrastructure, implementing top-tier data security measures to protect all its stakeholders and applying a security-by-design policy in all new digital initiatives.
