The governing body for Formula 1, the FIA, has confirmed that one of its driver information databases was compromised in a recent security incident. The breach allowed “hackers” to access Max Verstappen’s personal information in a mere ten minutes. While F1 drivers use a super license to race in Grand Prix events, registration on the FIA Driver Categorisation website is required for those who wish to compete in sports car races. A pair of bloggers revealed on the social media platform X that they accessed the system, which catalogs every driver who has participated in these kinds of motor racing events globally at any point in their careers.
The database includes several high-profile Formula 1 drivers with a history in sports car racing, such as Verstappen, Lando Norris, Fernando Alonso, and Nico Hülkenberg. Gal Nagli, who identifies as a hacker and bug bounty hunter, and blogger Ian Carroll publicly detailed how they gained access to the restricted portal. They stated that they simply applied to become an admin, which immediately gave them entry to the system.
The profile of Max Verstappen, a four-time world champion who recently debuted in endurance sports car racing at the Nürburgring, quickly became a focal point of their access. Carroll and Nagli found highly sensitive documents on the reigning champion, including his passport, personal contact information, FIA correspondence, and his license documents. Furthermore, they accessed confidential internal documents, such as internal communications, committee discussions about driver performance, private evaluations, and confidential decision-making processes.
A blog post on Carroll’s website later elaborated on the extent of the flaw: “We stopped testing after seeing that it was possible to access Max Verstappen’s passport, resume, license, password hash, and PII [Personally Identifiable Information].” They noted that this level of data was accessible for all F1 drivers with a categorization, along with highly sensitive information regarding internal FIA operations. Carroll and Nagli immediately contacted the FIA to alert the organization to the significant security flaws they had discovered in the system.
Carroll affirmed that they “did not access any passports / sensitive information” beyond the initial findings and that all data had been deleted. The FIA has confirmed the breach has been addressed and the system secured. An FIA spokesperson told ESPN that they became aware of the incident “over the summer,” took “immediate steps to secure drivers’ data,” and reported the issue to applicable data protection authorities. They also confirmed that only a “small number of drivers” were impacted and that “No other FIA digital platforms were impacted.” The organization emphasized its extensive investment in “cyber security and resilience measures” and its commitment to “security-by-design” for all new digital initiatives.
Reference:
