A group of hackers accessed a database of information from the FIA, the governing body of Formula 1, revealing personal data of Max Verstappen within a 10-minute timeframe.
F1 drivers compete under a super license, but their registration on the FIA Driver Categorization website allows them to participate in motorsport events. A group of bloggers reported on X about access to the system, which contains information on any driver who has participated in these events.
Among the Formula 1 drivers in the system are Verstappen, Lando Norris, Fernando Alonso and Nico Hülkenberg.
Gal Nagli, who describes himself as a hacker and bug bounty hunter on his X profile, along with blogger Ian Carroll, explained how they managed to access the portal simply by requesting to be administrators.
Verstappen’s profile, who recently debuted in endurance races at Nürburgring, was the main focus.
Carroll and Nagli found the passport of the four-time world champion, his personal contact information, correspondence with the FIA, and documents of his license. They also found “internal communications”, “committee discussions on driver performance, private evaluations and confidential decision-making processes”.
In a blog post by Carroll, it was added: “We stopped testing after seeing that it was possible to access the passport, curriculum vitae, license, password hash, and personal information of Max Verstappen. This data could be accessed for all F1 drivers with a categorization, along with confidential information about the internal operations of the FIA.”
Subsequently, Carroll and Nagli contacted the FIA to alert the governing body about the failures in the system.
Carroll added: “We did not access any passport or sensitive information and all data has been deleted”.
The FIA confirmed that the breach has already been resolved. An FIA spokesperson stated: “The FIA was made aware of a cyber incident involving the FIA Driver Categorization website during the summer. Immediate measures were taken to secure the drivers’ data, and the FIA informed the relevant data protection authorities of this issue in accordance with the FIA’s obligations.”
It also notified the small number of pilots affected by this problem. No other FIA digital platform was affected in this incident.
“The FIA has invested heavily in cybersecurity and resilience measures across its digital assets. It has implemented first-class data security measures to protect all its stakeholders and implements a security-by-design policy in all new digital initiatives.”
