The FIA suffered a cybersecurity breach in mid-2024 when ethical hackers exploited a vulnerability in its **driver categorization portal**—a system separate from the official Super License database but used to manage driver classifications (Bronze, Silver, Gold, Platinum). The hackers, led by researcher Ian Carroll, escalated their privileges to **administrator-level access**, exposing confidential documents of professional drivers, including **Max Verstappen’s passport, résumé, license records, password hashes, and personally identifiable information (PII)**. The group halted testing immediately upon discovering Verstappen’s data, deleted all retrieved files, and reported the flaw to the FIA in June.The FIA confirmed the breach, stating it occurred over the summer, and took **immediate measures** to secure the platform, including shutting down the affected website and collaborating with the hackers to patch the vulnerability. The incident was reported to **data protection authorities**, and affected drivers were notified. The FIA emphasized that **no other digital platforms** were compromised and that the hackers—self-proclaimed Formula 1 fans—acted without malicious intent, aiming to highlight security weaknesses. The portal was restored after reinforcing its cybersecurity framework.
Source: https://www.autoracing1.com/pl/464828/fia-news-fia-confirms-f1-driver-data-hacking-breach/
TPRM report: https://www.rankiteo.com/company/federation-internationale-de-l-automobile
"id": "fed2333223102425",
"linkid": "federation-internationale-de-l-automobile",
"type": "Vulnerability",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Professional drivers (including '
'Max Verstappen and other F1 '
'drivers)',
'industry': 'Motorsport / Automobile Racing',
'location': 'Paris, France (HQ)',
'name': "Fédération Internationale de l'Automobile "
'(FIA)',
'type': 'Sports Governing Body'}],
'attack_vector': 'Privilege Escalation (Vulnerability in Driver '
'Categorization Portal)',
'data_breach': {'data_exfiltration': 'Temporary (Hackers deleted retrieved '
'data post-discovery)',
'file_types_exposed': ['PDF (passport scans, resumes)',
'Database records (license details, '
'PII)'],
'personally_identifiable_information': ['Full names',
'Passport numbers',
'Address details',
'License identifiers',
'Password hashes'],
'sensitivity_of_data': 'High (Passport scans, PII, license '
'records)',
'type_of_data_compromised': ['Identity documents (passports)',
'Resumes/CVs',
'License records',
'Password hashes',
'Personally Identifiable '
'Information (PII)']},
'date_detected': '2024-06-01T00:00:00Z',
'date_publicly_disclosed': '2024-08-01T00:00:00Z',
'description': "The FIA (Fédération Internationale de l'Automobile) suffered "
'a cybersecurity breach in its driver categorization portal, '
'allowing ethical hackers to escalate privileges and access '
"confidential files, including Max Verstappen's passport, "
'resume, license records, and personally identifiable '
'information (PII). The vulnerability was responsibly '
'disclosed by the hackers, and the FIA took immediate action '
'to secure the data and patch the flaw.',
'impact': {'brand_reputation_impact': 'Moderate (High-profile exposure of F1 '
'driver data, but proactive response '
'mitigated damage)',
'data_compromised': ['Passport details',
'Resumes',
'License records',
'Password hashes',
'Personally Identifiable Information (PII)'],
'downtime': 'Temporary (Portal taken offline for remediation)',
'identity_theft_risk': 'High (Exposure of passports, PII, and '
'license records)',
'legal_liabilities': 'Potential (Data protection authorities '
'notified; no fines mentioned)',
'operational_impact': 'Minimal (No other FIA platforms affected)',
'systems_affected': ['FIA Driver Classification Portal '
'(Bronze/Silver/Gold/Platinum categorization '
'system)']},
'initial_access_broker': {'entry_point': 'FIA Driver Classification Portal '
'(Privilege Escalation Flaw)',
'high_value_targets': 'F1 driver records (e.g., Max '
'Verstappen)'},
'investigation_status': 'Resolved (Vulnerability patched; no ongoing threats '
'reported)',
'lessons_learned': ['Critical vulnerabilities in niche portals can expose '
'high-profile data.',
'Ethical hackers play a key role in identifying flaws '
'through responsible disclosure.',
'Rapid collaboration with discoverers can accelerate '
'remediation.'],
'motivation': 'Non-malicious; Responsible Disclosure to Highlight '
'Vulnerabilities',
'post_incident_analysis': {'corrective_actions': ['Patched privilege '
'escalation vulnerability',
'Reinforced cybersecurity '
'framework for the portal',
'Enhanced monitoring for '
'unauthorized access '
'attempts'],
'root_causes': ['Inadequate access controls in the '
'driver classification portal',
'Lack of privilege escalation '
'safeguards',
'Overlooked security '
'vulnerabilities in auxiliary '
'systems']},
'recommendations': ['Conduct regular security audits for all digital '
'platforms, including auxiliary systems.',
'Implement multi-factor authentication (MFA) for '
'administrative access.',
'Establish a bug bounty program to incentivize ethical '
'hacking.',
'Segment high-sensitivity data (e.g., driver PII) from '
'less critical systems.'],
'references': [{'source': 'German Press Agency (DPA)'},
{'source': 'La Gazzetta dello Sport'},
{'source': "Ian Carroll's Blog Post (Ethical Hackers)"}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR (General '
'Data Protection '
'Regulation) violations'],
'regulatory_notifications': 'Data protection '
'authorities notified'},
'response': {'communication_strategy': ['Public confirmation to media (DPA, '
'La Gazzetta dello Sport)',
'Notification to affected drivers',
'Report to data protection '
'authorities'],
'containment_measures': ['Portal taken offline immediately',
'Access privileges revoked'],
'incident_response_plan_activated': True,
'recovery_measures': 'Portal restored after remediation',
'remediation_measures': ['Vulnerability patched',
'Cybersecurity framework reinforced'],
'third_party_assistance': 'Collaboration with ethical hackers '
'(Ian Carroll and team)'},
'stakeholder_advisories': 'Affected drivers (including Max Verstappen) '
'notified directly',
'threat_actor': 'Ethical Hackers (Ian Carroll and colleagues)',
'title': 'FIA Driver Classification Portal Data Breach Exposing Max '
"Verstappen's Personal Information",
'type': 'Data Breach / Unauthorized Access',
'vulnerability_exploited': 'Privilege Escalation Flaw in FIA Driver '
'Classification System'}