Redazione RHC : 24 October 2025 07:41
Security researchers have discovered vulnerabilities in an FIA website that contained sensitive personal information and documents relating to drivers, including world champion Max Verstappen.
Ian Carroll, one of three researchers who examined the site, revealed the breach in a blog post on Wednesday. He said the FIA addressed the vulnerabilities in its systems immediately after being contacted last June.
The FIA confirmed the breach and stated that it has taken measures to protect driver data. It has contacted the drivers involved and the relevant data protection authorities.
The researchers stated that they did not access or retain sensitive information relating to any of the individuals identified through the cyberattack and immediately reported the findings to the FIA.
The website was compromised using a regular user account. Researchers exploited vulnerabilities in the system to gain administrator privileges. This gave them the ability to access the sensitive personal information of any driver of their choosing.
“We appeared to have full administrative access to the FIA’s driver categorization website,” they noted. “We halted testing after determining that Max Verstappen’s passport, CV, driver’s license, password hash, and personally identifiable information could be accessed,” Carroll wrote. ” This data could be accessed by all F1 drivers via categorization, along with sensitive information related to the FIA’s internal operations. We did not have access to any passport or sensitive information, and all data has been deleted.”
The FIA’s driver classification website contains data for nearly 7,000 drivers.
“The FIA became aware of a cyber incident involving the FIA Driver Categorization website over the summer,” it said. ” Immediate measures were taken to protect driver data, and the FIA reported the issue to the relevant data protection authorities, in accordance with the FIA’s obligations. The limited number of drivers affected by this issue was also reported. No other FIA digital platforms were affected by this incident.”
According to researchers, the FIA took the website offline on June 3, the same day it was informed of the breach. A week later, it provided details of a “comprehensive fix.”
The FIA says it has “invested extensively in cybersecurity and resilience measures across its digital estate” and “has put in place world-class data security measures to protect all its stakeholders and implements a security-by-design policy across all new digital initiatives.”
Redazione