In a digital age where data is king, a trio of cyber sleuths uncovered a chink in the armor of the FIA, motorsport’s governing body.
Security researcher Ian Carroll, alongside two colleagues, stumbled upon a vulnerability that granted them access to a treasure trove of sensitive information, including personal details of four-time world champion Max Verstappen.
The trio had no malicious intent and informed the FIA of their breach back in June. Carroll also shared their findings in a detailed blog post published on Wednesday, revealing how close sensitive driver information could have fallen into the wrong hands.
“Full Admin Access” to the FIA Database
According to Carroll, the researchers stumbled upon the flaw within the FIA’s Driver Categorisation website – a platform that stores profiles for nearly 7,000 licensed drivers. What began as a simple test using an ordinary user account quickly spiraled into something far more serious.
“We seemed to have full admin access to the FIA driver categorisation website,” they noted.
With those privileges, the researchers could view personal documents, passports, and other classified materials. But upon realizing the depth of the breach, they stopped immediately.
“We stopped testing after seeing that it was possible to access Max Verstappen’s passport, résumé, license, password hash, and PII [personally identifiable information],” Carroll wrote.
“This data could be accessed for all F1 drivers with a categorisation, alongside sensitive information of internal FIA operations. We did not access any passports [or] sensitive information and all data has been deleted.”
Carroll and his team subsequently contacted the FIA, outlining the security lapse and helping to secure the system before any damage could be done.
FIA Reacts Swiftly to Contain the Breach
In response, the FIA acknowledged the incident and praised the researchers for coming forward. The governing body took the Driver Categorisation website offline on June 3rd – the same day it was alerted – and implemented a “comprehensive fix” one week later.
“The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer,” it said in a statement to F1 website RaceFans.
“Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations.
“It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.”
The organization added that it has “invested extensively in cyber security and resilience measures across its digital estate” and “has put world-class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives.”
Lessons in Cyber Vigilance
Though the breach was swiftly contained, the incident serves as a stark reminder of how even elite institutions in global sport remain vulnerable to cyber threats.
Carroll’s discovery highlights the fine line between ethical hacking and potential disaster – and how crucial proactive security measures have become.
Thanks to three responsible researchers, the FIA dodged what could have been one of Formula 1’s most serious data leaks – one that reached all the way to the reigning world champion’s private information.
Keep up to date with all the F1 news via X and Facebook
