Hackers exploited vulnerabilities in the FIA’s Driver Categorisation website, gaining administrator privileges by registering a standard user account and escalating access. The breach exposed sensitive personal data of nearly 7,000 drivers, including world champion Max Verstappen, such as passports, résumés, licenses, password hashes, and PII (personally identifiable information). Researchers (including Ian Carroll) discovered the flaw in June, immediately reporting it to the FIA, which secured the system, took the website offline (June 3rd), and applied a fix within a week. The FIA confirmed no data was stolen or retained by the hackers, who deleted all accessed information. However, the incident required notifications to affected drivers and data protection authorities. The breach was isolated to this platform, with no impact on other FIA digital systems. The organization emphasized its cybersecurity investments, including security-by-design policies for new initiatives.
TPRM report: https://www.rankiteo.com/company/federation-internationale-de-l-automobile
"id": "fed2032920102325",
"linkid": "federation-internationale-de-l-automobile",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Small number of drivers (out of '
'~7,000 in the Driver '
'Categorisation database)',
'industry': 'Motorsport',
'location': 'Paris, France (HQ)',
'name': "Fédération Internationale de l'Automobile "
'(FIA)',
'type': 'Sports Governing Body'}],
'attack_vector': ['Account Registration Exploitation',
'Vulnerability Exploitation (Privilege Escalation)'],
'customer_advisories': ['Direct notification to impacted drivers'],
'data_breach': {'data_exfiltration': 'None (researchers did not access or '
'retain data)',
'file_types_exposed': ['PDF (passports, licenses)',
'Documents (resumés)',
'Database records (PII)'],
'number_of_records_exposed': 'Potential access to ~7,000 '
'driver records; actual exposure '
"limited to a 'small number' of "
'drivers',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes government-issued IDs '
'and PII)',
'type_of_data_compromised': ['PII',
'Passport Scans',
'Resumés',
'License Details',
'Password Hashes',
'Internal FIA Operations Data']},
'date_detected': '2024-06-03',
'date_publicly_disclosed': '2024-09-11',
'date_resolved': '2024-06-10',
'description': 'Hackers compromised the FIA Driver Categorisation website, '
'gaining administrator privileges and accessing sensitive '
'personal information of drivers, including world champion Max '
'Verstappen. The vulnerabilities were reported by security '
'researchers, and the FIA addressed them promptly. No '
'sensitive data was accessed or retained by the hackers, and '
'the FIA notified affected drivers and data protection '
'authorities.',
'impact': {'brand_reputation_impact': 'Potential reputational risk due to '
"exposure of high-profile drivers' data "
'(e.g., Max Verstappen)',
'data_compromised': ['Passport Details',
'Résumé',
'License',
'Password Hashes',
'Personally Identifiable Information (PII)',
'Internal FIA Operations Data'],
'downtime': 'Website taken offline on 2024-06-03, restored by '
'2024-06-10 (7 days)',
'identity_theft_risk': 'High (PII and passport details exposed)',
'legal_liabilities': 'Reported to data protection authorities; '
'potential GDPR or other compliance '
'implications',
'operational_impact': 'Temporary suspension of Driver '
'Categorisation website; no impact on other '
'FIA digital platforms',
'systems_affected': ['FIA Driver Categorisation Website']},
'initial_access_broker': {'entry_point': 'Registration of ordinary user '
'account on FIA Driver '
'Categorisation website',
'high_value_targets': ["Max Verstappen's data "
'(passport, PII)',
'Other F1 drivers with '
'categorisation']},
'investigation_status': 'Resolved (vulnerabilities patched; no evidence of '
'data misuse)',
'lessons_learned': 'Importance of security-by-design in digital initiatives; '
'rapid response to third-party vulnerability reports can '
'mitigate damage. Regular audits of privilege escalation '
'vulnerabilities are critical for systems handling '
'sensitive data.',
'motivation': "Unknown (Researchers acted responsibly; hackers' motives "
'unclear)',
'post_incident_analysis': {'corrective_actions': ['Patched vulnerabilities in '
'the Driver Categorisation '
'system',
'Enhanced cybersecurity '
"investments across FIA's "
'digital estate',
'Implemented '
'security-by-design policy '
'for new digital '
'initiatives',
'Improved incident response '
'protocols for third-party '
'disclosures'],
'root_causes': ['Privilege escalation '
'vulnerability in the Driver '
'Categorisation website',
'Insufficient access controls for '
'administrative functions',
'Lack of detection mechanisms for '
'anomalous account behavior']},
'recommendations': ['Conduct thorough penetration testing for all '
'public-facing systems, especially those handling PII.',
'Implement multi-factor authentication (MFA) for '
'administrative access.',
'Enhance logging and monitoring to detect anomalous '
'privilege escalations.',
'Expand red team exercises to simulate real-world attack '
'scenarios.',
'Ensure timely patching of reported vulnerabilities with '
'a structured disclosure process.'],
'references': [{'date_accessed': '2024-09-11',
'source': 'RaceFans',
'url': 'https://www.racefans.net/2024/09/11/fia-confirms-cyber-attack-on-driver-categorisation-website/'},
{'date_accessed': '2024-09-11',
'source': "Ian Carroll's Blog Post"}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR (General '
'Data Protection '
'Regulation) violations'],
'regulatory_notifications': ['Notified applicable '
'data protection '
'authorities']},
'response': {'communication_strategy': ['Public statement via RaceFans',
'Direct notification to impacted '
'drivers',
'Report to data protection '
'authorities'],
'containment_measures': ['Website taken offline on 2024-06-03',
'Vulnerabilities patched'],
'enhanced_monitoring': 'Claimed investment in cybersecurity and '
'resilience measures post-incident',
'incident_response_plan_activated': True,
'recovery_measures': ['Website restored after patching',
'Notification to affected drivers and '
'authorities'],
'remediation_measures': ['Comprehensive fix implemented by '
'2024-06-10'],
'third_party_assistance': ['Security Researchers (Ian Carroll '
'and two others)']},
'stakeholder_advisories': ['FIA notified affected drivers and data protection '
'authorities'],
'threat_actor': 'Unknown (Reported by Security Researchers: Ian Carroll and '
'two others)',
'title': 'FIA Driver Categorisation Website Breach',
'type': ['Data Breach', 'Unauthorized Access', 'Privilege Escalation'],
'vulnerability_exploited': ['Privilege Escalation Flaw in FIA Driver '
'Categorisation Website']}