A team of hackers accessed one of the FIA’s information databases.
The Fédération Internationale de l’Automobile (FIA) has confirmed a security breach in one of its driver information databases, allowing “hackers” to access Max Verstappen’s personal information in just 10 minutes.
Formula 1 drivers compete under a super license, but registration on the FIA Driver Categorization website allows them to participate in sports car events. A group of bloggers revealed on X that they accessed the system, which lists any driver who has participated in such events throughout their careers.
Among the Formula 1 drivers listed in the system with experience in this area are Verstappen, Lando Norris, Fernando Alonso, and Nico Hülkenberg.
Gal Nagli, whose X profile identifies him as a hacker and bug bounty hunter, along with blogger Ian Carroll, explained through a series of posts how they managed to access the portal simply by requesting to be administrators.
The information about Verstappen, who recently made his debut in endurance sports car racing at the Nürburgring, was the main focus.
Carroll and Nagli were able to find the “passport, personal contact, correspondence with the FIA and license documents” of the four-time world champion. They also found “internal communications”, “committee discussions on driver performance, private evaluations and confidential decision-making processes”.
We stopped the tests after seeing that it was possible to access Max Verstappen’s passport, curriculum vitae, license, password hash, and personal information. This data from all F1 drivers could be accessed with a categorization, along with confidential information about the FIA’s internal operations.
Ian Carroll
Subsequently, Carroll and Nagli contacted the FIA to alert the entity about the failures in the system.
Carroll added: “We did not access any passport or sensitive information, and all data has been deleted”.
The FIA has confirmed that the breach has already been resolved. An FIA spokesperson stated: “The FIA was aware of a cyber incident related to the FIA Driver Categorization website during the summer. Immediate measures were taken to secure the drivers’ data, and the FIA informed the relevant data protection authorities of this issue, in accordance with the FIA’s obligations.
The small number of pilots affected by this problem were also notified. No other FIA digital platform was affected in this incident.
The FIA has invested heavily in cybersecurity and resilience measures across its digital assets. It has implemented first-class data security measures to protect all its stakeholders and implements a security-by-design policy in all new digital initiatives.”
