A team of alleged hackers managed to access one of the FIA’s information databases, the governing body of Formula 1. The attack, which exposed personal information of the driver Max Verstappen, lasted only ten minutes.
F1 drivers compete under a super license, but their registration on the FIA Driver Categorization website allows them to participate in motorsport events. A group of bloggers revealed on the X platform how they accessed the system, which contains information on all drivers who have participated in those events throughout their careers.
Among the Formula 1 drivers included in the system are Max Verstappen, Lando Norris, Fernando Alonso, and Nico Hülkenberg, who have experience in this field.
Gal Nagli, who describes himself on his X profile as a hacker and bug bounty hunter, along with blogger Ian Carroll, explained through a series of posts how they managed to access the portal simply by requesting to be administrators.
Verstappen’s profile, who recently debuted in endurance races at Nürburgring, was the main focus.
Carroll and Nagli were able to find the passport, personal contact information, correspondence with the FIA, and the license documents of the four-time world champion. They also found “internal communications”, “committee discussions on driver performance, private evaluations and confidential decision-making processes”.
We stopped testing after seeing that it was possible to access the passport, resume, license, password hash, and personal information of Max Verstappen. This data of all F1 drivers could be accessed with a categorization, along with confidential information about the internal operations of the FIA.
Ian Carroll
Subsequently, Carroll and Nagli contacted the FIA to inform the organization of the system failures.
The FIA has confirmed that the problem has been solved. An FIA spokesperson stated that immediate measures were taken to secure the drivers’ data and the incident was reported to the relevant data protection authorities, according to FIA obligations.
Furthermore, the few drivers affected by this incident were notified. No other FIA digital platform was affected. The FIA has invested heavily in cybersecurity and resilience measures across its digital assets and has implemented top-tier data security measures to protect all its stakeholders, as well as implementing a security-by-design policy in all new digital initiatives.
