The FIA confirmed that a group of ethical hackers briefly gained access to data in its driver licensing portal - including Max Verstappen’s passport - while the leak has been fixed in collaboration with the hackers themselves.
The breach took place this summer, when a trio of ethical hackers — Gal Nagli, Sam Curry and Ian Carroll — got into the FIA’s Driver Categorisation portal. Although the successful hack was carried out months ago, they only revealed their findings publicly this week on social media.
The group, all Formula 1 fans, stressed that they had no malicious intent. The goal was mainly to expose weaknesses in the FIA’s infrastructure and to make the “entire ecosystem” stronger.
The incident involved the system the FIA uses to manage driver classifications. F1 drivers need a super licence to compete, but for other series – mostly endurance – the categorisation into Gold, Silver or Bronze is crucially important. Through the portal, the FIA manages these categorisations and drivers can submit requests to change their status as well – for example from gold to silver, which can be beneficial for endurance racing where teams are often required to field a silver-rated driver.
Admin role gave hackers access to driver data
The hackers created a profile on the FIA portal and discovered via Javascript that it was possible to modify their role. The portal’s framework included multiple roles: drivers, FIA staff, and administrators.
Using an HTTP PUT request, the hackers attempted to elevate their access rights to admin status - and it worked. Upon logging back in, they found a completely different interface, including the FIA’s internal dashboard for managing driver classifications.
To verify the breach, the group attempted to load a single driver profile. They discovered that it showed password hash, email address, phone number, and passport details to them, along with internal correspondence between the FIA and the driver regarding the categorisation.
All F1 drivers were also listed in the system, with the hackers noticing that Verstappen’s passport could be accessed. The hackers emphasised that they stopped their testing at that point and did not access any passport or sensitive information.
FIA response and working with the hackers
After identifying the vulnerability on 3 June, the hackers immediately notified the FIA. The governing body took action - taking the site offline the same day and working with the trio to find a permanent solution. On 10 June, the FIA confirmed that a fix had been implemented.
When asked by Autosport in Mexico, an FIA spokesperson confirmed the incident and shared an official statement from the governing body:
“The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer. Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations. It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.
“The FIA has invested extensively in cyber security and resilience measures across its digital estate. It has put world class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives.”
Read and post comments