F1 governing body confirms cyber incident after researchers gain access to Max Verstappen’s passport

The governing body for Formula 1 (F1) has confirmed a cyber incident that led to researchers gaining access to the personal details of a number of F1 drivers, including highly regarded driver Max Verstappen.

The Federation Internationale de l’Automobile (FIA) disclosed the cyber incident after a team of security researchers led by Ian Carroll released a blog post about it on Wednesday (22 October).

Carroll and two colleagues discovered vulnerabilities in the FIA’s Driver Categorisation website earlier this year, at which time they notified the FIA. The site was taken down on 3 June, with a fix implemented a week later.

You’re out of free articles for this month

Username or Email

Password Forgot password?

Keep me signed in on this device.

First Name

Last Name

Mobile

Organisation Type

By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement.

Need help signing up? Visit the Help Centre.

The researchers used an ordinary user account for the FIA’s Driver Categorisation website to take advantage of vulnerabilities, which gave them administrator privileges, allowing them to access the sensitive data of any driver, of which the website contains almost 7,000.

“We seemed to have full admin access to the FIA driver categorisation website,” the researchers said in a blog post.

Carroll said: “We stopped testing after seeing that it was possible to access Max Verstappen’s passport, résumé, license, password hash and PII.

“This data could be accessed for all F1 drivers with a categorisation, alongside sensitive information of internal FIA operations. We did not access any passports [or] sensitive information and all data has been deleted.”

The FIA has since issued a statement regarding the incident

“The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer,” it said. “Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations.

VIEW ALL

“It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.”

The FIA added that it had “invested extensively in cyber security and resilience measures across its digital estate” and “has put world-class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives”.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

You need to be a member to post comments. Become a member for free today!

newsletter

Be the first to hear the latest developments in the cyber industry.

F1 governing body confirms cyber incident after researchers gain access to Max Verstappen’s passport

Daniel Croft

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED

FOLLOW US ON