The FIA has admitted that its driver categorisation platform was briefly compromised earlier this year when ethical hackers found a security flaw.
The issue, which temporarily exposed some driver data, including Max Verstappen’s passport details, was quickly contained and resolved with the researchers’ cooperation.
The breach was identified during the summer by cybersecurity specialists Gal Nagli, Sam Curry, and Ian Carroll – known for responsibly disclosing vulnerabilities in major organisations.
The trio, all motorsport enthusiasts, accessed the FIA’s Driver Categorisation website, which is used to manage licence grades such as Gold, Silver, and Bronze for various racing categories.
Although the discovery occurred several months ago, the researchers shared their findings publicly on social media this week.
The group stated that their actions were based on ethical intentions and aimed to identify and report weaknesses in the FIA’s digital infrastructure.
According to their account, the researchers first signed up for the FIA’s online portal like any other user.
By analysing the website’s JavaScript, they discovered a way to modify account permissions.
Sending an HTTP PUT request allowed them to switch their role to administrator, which revealed a different interface intended for FIA officials.
This administrator dashboard provided access to the system for managing driver classifications.
When they accessed a single driver entry to confirm the vulnerability, they viewed data fields including password hashes, contact details, and passport information.
While Verstappen’s details appeared accessible, the researchers stated they did not view or download any sensitive files.
How the FIA responded
After the trio notified the FIA of the flaw on 3 June, the FIA took the portal offline that same day.
They worked directly with the researchers to patch the system, fully implementing a fix by 10 June.
During Formula 1’s Mexico City Grand Prix weekend, an FIA spokesperson confirmed the incident and shared an official statement.
“The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer,” it stated.
“Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations.
“It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.
“The FIA has invested extensively in cyber security and resilience measures across its digital estate.
“It has put world-class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives.”
When asked about the breach, Lewis Hamilton told media including Motorsport Week that he had not yet heard about it. “What is that? Because I don’t know.”
When told that hackers had briefly accessed the FIA’s systems, Hamilton added: “Oh, really? That’s the first time I’ve heard of it.”
Asked how he felt about driver information being exposed, he remarked: “They don’t have very much information on me anyway, so it’s OK.”
READ MORE – Alex Albon: McLaren could ‘easily cover’ Max Verstappen F1 title threat by prioritising one driver
Discussion about this post