Max Verstappen had his details exposed in a cyber attack on the FIA. Image: XPB Images
The incident, which occurred in June but was revealed publicly this week, was promptly resolved in collaboration with the hackers.
Three ethical hackers — Gal Nagli, Sam Curry, and Ian Carroll — accessed the FIA’s system, which manages driver classifications and super licences, by exploiting a vulnerability in the website’s framework.
The group created a profile and elevated their access rights to administrator status, allowing them to view the internal dashboard.
Nagli explained the extent of what they could see through his X account. He also clarified that they did not save any data they accessed.
“Important clarification, we did NOT download or save any passports or sensitive personal information,” he explained.
“We validated the vulnerability existed, took screenshots for proof, and immediately stopped testing.
Gold Coast 500 Greenroom Afterparty at Cali Beach – Sunday 26th October. VIP Booths available – Click here
“All test data was deleted. No driver information was compromised by us.
“We worked with the FIA to promptly fix the issue. Shoutout to their team for the rapid response and taking the matter seriously.”
The FIA confirmed that steps were taken immediately to secure the portal and report the incident to data protection authorities.
“Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations,” a spokesperson said.
“It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.
“The FIA has invested extensively in cyber security and resilience measures across its digital estate.
“It has put world-class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives.”
The hackers, all F1 fans, stressed that their actions were intended to expose weaknesses rather than cause harm. The FIA portal was taken offline on June 3, and a full fix was implemented within a week.
This is not the FIA’s first cyber incident; a separate hack last year affected email accounts, though details were not disclosed.