An FIA data breach has exposed the sensitive personal information of F1 drivers, including government-issued IDs, after a group of security researchers breached the sporting body’s Driver Categorisation portal.
“The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer,” an FIA spokesperson stated.
The FIA learned of the data breach around June 3 after the researchers contacted Formula 1’s governing body with the findings of their exploitation.
FIA data breach exposes F1 drivers’ passports
The data breach was carried out by three ethical hackers, Gal Nagli, Sam Curry, and Ian Carrolle via JavaScript after discovering that they could elevate their user roles by sending an HTTP PUT request. The system allows users to assume the roles of F1 drivers, FIA staff, and administrators.
By doing so, they elevated their privileges to admin status and accessed the Categorization dashboard that FIA uses to manage F1 drivers’ profiles. Nearly 7,000 F1 drivers were listed on that portal.
The dashboard granted them access to F1 drivers’ password hashes, email addresses, phone numbers, passport details, and communications with the FIA about categorization. They loaded Max Verstappen’s profile and discovered that they could access his personal information, including passport and resume, but did not proceed further.
“We stopped testing after seeing that it was possible to access Max Verstappen’s passport, resume, license, password hash, and PII. This data could be accessed for all F1 drivers with a categorization, alongside sensitive information of internal FIA operations,” Carroll stated.
They immediately reported the data breach to the F1 governing body around June 3 and later published their findings on social media.
Upon learning of the data breach, the FIA responded by taking the system offline, notifying relevant authorities and impacted F1 drivers, and working with the ethical hackers to fix the compromised system.
No other system affected, issue resolved
The company also asserted that the data breach did not affect other systems and that the issue was successfully resolved.
“No other FIA digital platforms were impacted in this incident,” the FIA stated.
The sports body also claims it has invested “extensively in cyber security and resilience measures” and put in “world class data security measures” to protect all stakeholders and “implements a policy of security-by-design in all new digital initiatives.”
Carroll also confirmed that they did not access any sensitive information and that all the data acquired during the exploitation has been deleted. Another hacker confirmed that they did not have any nefarious motives and were only concerned about the security of the whole system.
“We were looking at the security of the whole ecosystem. That’s how we stumbled upon a severe vulnerability in a critical portal managed by the FIA,” Nagli posted on X.
They also thanked the FIA cybersecurity team for their immediate response and cooperation to resolve the security issue.
“We worked with the FIA to promptly fix the issue. Shoutout to their team for the rapid response and taking the matter seriously,” the researchers said.
So far, there is no evidence that other threat actors have accessed F1 drivers’ personal information. However, this is hardly FIA’s first data breach. In 2024, hackers breached two email addresses belonging to the FIA and accessed personal information.
