'%20x='0'%20y='0'%20height='100%25'%20width='100%25'%20%0A%20%20%20%20%20%20%20%20%20%20xlink%3Ahref='data:image/jpg;base64,/9j/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcUFhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wgARCAAHAAoDASIAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAAAAX/xAAVAQEBAAAAAAAAAAAAAAAAAAACA//aAAwDAQACEAMQAAAAv1QU/8QAHBAAAgMAAwEAAAAAAAAAAAAAAQIDBAUABtIR/9oACAEBAAE/ABc382S4HwJXrSuBEEtQgp6P3kW9ppEiv1m+zAAEizX98//EABURAQEAAAAAAAAAAAAAAAAAAAAT/9oACAECAQE/AKP/xAAWEQADAAAAAAAAAAAAAAAAAAAAARL/2gAIAQMBAT8AhH//2Q=='%3E%3C/image%3E%3C/svg%3E)
A group of ethical hackers briefly accessed private data from the FIA’s driver licensing portal earlier this year, including Max Verstappen’s passport, before helping the governing body fix the breach. The incident took place in June, but was disclosed publicly on Thursday (October 23), exposing a key vulnerability in the FIA’s Driver Categorization system used to manage global competition licenses.
The cyber incident involved researchers Gal Nagli, Sam Curry, and Ian Carroll, who described themselves as Formula 1 fans with no malicious intent. Their goal was to test the FIA’s security infrastructure and highlight its weak points. The trio found a way into the FIA’s Driver Categorization portal, which manages licensing for professional and amateur racers in multiple series, including those classified as Gold, Silver, or Bronze under FIA regulations.
Trending
Once inside the portal, the researchers created a driver profile and began examining the site’s underlying code. Through the site’s JavaScript framework, they discovered that user roles, such as driver, FIA staff, and administrator, could be changed manually. Using an HTTP PUT request, they attempted to modify their privileges, elevating themselves to administrator access. To their surprise, it worked.
Upon logging back in, they gained access to a completely different interface that included the FIA’s internal dashboard for managing driver classifications and records. From there, they verified that sensitive personal information was visible.
“We stopped testing after seeing that it was possible to access Max Verstappen’s passport, résumé, license, password hash and PII (personally identifiable information),” researcher Ian Carroll said (via Crash.net). “This data could be accessed for all F1 drivers with a categorization, alongside sensitive information of internal FIA operations. We did not access any passports, sensitive information and all data has been deleted.”
The group found that driver profiles displayed details such as emails, phone numbers, and internal communication between FIA officials and competitors. While Max Verstappen’s passport details were briefly accessible, there was no evidence of data misuse or exposure beyond the controlled test.
The discovery raises concerns about how sensitive F1 driver information is stored.
FIA addresses the breach and confirms data security steps as Max Verstappen's data is now safe
After identifying the breach on June 3, the hackers immediately reported their findings to the FIA. The governing body responded swiftly, taking the site offline the same day and working directly with the hackers to secure the system. By June 10, a permanent fix had been implemented, ensuring the vulnerability was closed.
The FIA confirmed the incident in a statement to Crash.net, saying that it had already reported the issue to the relevant data protection authorities and notified the affected drivers.
“The FIA became aware of a cyber incident involving the FIA Driver Categorization website over the summer,” an FIA spokesperson said. “Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations. It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.”
The federation added that it has since reinforced its digital protection systems.
“The FIA has invested extensively in cyber security and resilience measures across its digital estate. It has put world-class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives,” the spokesperson added.
The collaboration between the FIA and the ethical hackers ensured that no lasting damage occurred, with the portal now fully secured.
As the FIA strengthens its cybersecurity protocols, Max Verstappen’s focus remains firmly on the track. The Dutch driver heads into this weekend’s Mexico City Grand Prix, where he will continue his charge toward a fifth world championship.
