A group of self-described hackers exploited a vulnerability in the FIA Driver Categorisation website, gaining unauthorized admin access within 10 minutes. They retrieved Max Verstappen’s passport, personal contact details, FIA correspondence, license documents, password hashes, and other PII (Personally Identifiable Information). The breach also exposed internal FIA communications, committee discussions on driver performance, private evaluations, and confidential decision-making processes for multiple F1 drivers (including Lando Norris, Fernando Alonso, and Nico Hülkenberg). The attackers demonstrated the flaw by accessing sensitive data but claimed they did not download or retain any passports or sensitive files, deleting all retrieved data before reporting the incident to the FIA. The governing body confirmed the breach was contained, notified affected drivers, and reported the incident to data protection authorities. No other FIA digital platforms were compromised. The exploit highlighted critical gaps in the FIA’s access control and security-by-design policies, despite their stated investments in cybersecurity.
TPRM report: https://www.rankiteo.com/company/federation-internationale-de-l-automobile
"id": "fed2862028102425",
"linkid": "federation-internationale-de-l-automobile",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': ['Max Verstappen',
'Lando Norris',
'Fernando Alonso',
'Nico Hülkenberg',
'other drivers with sports car '
'racing backgrounds'],
'industry': 'motorsport',
'location': 'Paris, France (HQ)',
'name': "Fédération Internationale de l'Automobile "
'(FIA)',
'type': 'sports governing body'}],
'attack_vector': ['improper access control', 'admin privilege exploitation'],
'customer_advisories': ['Drivers with sports car racing backgrounds were '
'informed'],
'data_breach': {'data_exfiltration': 'Yes (temporarily accessed; later '
'deleted by attackers)',
'file_types_exposed': ['PDF (passport/license scans)',
'emails',
'database records'],
'personally_identifiable_information': ['full names',
'contact details',
'passport numbers',
'driver license data'],
'sensitivity_of_data': 'High (includes passport scans, '
'private correspondence, and '
'confidential FIA processes)',
'type_of_data_compromised': ['PII',
'government-issued IDs '
'(passports)',
'internal operational data',
'driver performance evaluations',
'password hashes']},
'date_publicly_disclosed': '2024-summers',
'description': 'A team of self-described hackers (bloggers and a bug bounty '
"hunter) accessed the FIA's Driver Categorisation database by "
'exploiting an administrative vulnerability. They gained '
"access to Max Verstappen's passport, personal contact "
'details, FIA correspondence, license documents, internal '
'communications, committee discussions, and other sensitive '
'data for multiple F1 drivers. The breach was reported to the '
'FIA, which confirmed containment and notification to affected '
'drivers and authorities.',
'impact': {'brand_reputation_impact': ['potential trust erosion among drivers',
'media scrutiny'],
'data_compromised': ['passport details',
'personal contact information',
'FIA correspondence',
'license documents',
'password hashes',
'PII',
'internal communications',
'committee discussions',
'private driver evaluations',
'confidential decision-making records'],
'identity_theft_risk': 'High (passport/PII exposed)',
'legal_liabilities': ['data protection authority notifications '
'required'],
'operational_impact': 'Limited to Driver Categorisation system; no '
'other FIA platforms affected',
'systems_affected': ['FIA Driver Categorisation website/database']},
'initial_access_broker': {'entry_point': 'FIA Driver Categorisation website '
'admin application process',
'high_value_targets': ["Max Verstappen's profile",
'other F1 drivers with '
'sports car backgrounds'],
'reconnaissance_period': '<10 minutes (per '
"attackers' claim)"},
'investigation_status': 'Resolved (contained and reported)',
'lessons_learned': ['Admin privilege assignment requires stricter controls',
'Third-party security testing (e.g., bug bounty) can '
'reveal critical flaws',
'Sensitive driver data needs additional protection '
'layers'],
'motivation': ['research', 'responsible disclosure', 'awareness'],
'post_incident_analysis': {'corrective_actions': ['secured the vulnerable '
'portal',
'enhanced '
'security-by-design '
'policies',
'notified '
'authorities/drivers'],
'root_causes': ['lack of access control for admin '
'roles',
'absence of verification for '
'privilege escalation']},
'recommendations': ['Implement multi-factor authentication for admin access',
'Conduct regular penetration testing on public-facing '
'portals',
'Enhance logging/monitoring for unusual access patterns',
"Review 'security-by-design' principles for legacy "
'systems'],
'references': [{'source': 'ESPN (FIA spokesperson statement)'},
{'source': "Ian Carroll's blog post"},
{'source': "Gal Nagli's X (Twitter) posts"}],
'regulatory_compliance': {'regulations_violated': ['GDPR (likely, given '
'EU-based organization and '
'PII exposure)'],
'regulatory_notifications': ['applicable data '
'protection '
'authorities (notified '
'by FIA)']},
'response': {'communication_strategy': ['notification to affected drivers',
'public statement via ESPN',
'reporting to data protection '
'authorities'],
'containment_measures': ['securing the Driver Categorisation '
'website',
'revoking unauthorized access'],
'enhanced_monitoring': 'world-class data security measures (per '
'FIA statement)',
'incident_response_plan_activated': True,
'remediation_measures': ['patch for admin privilege '
'vulnerability',
'security-by-design review']},
'stakeholder_advisories': ['Notified affected drivers',
'Public statement issued'],
'threat_actor': ['Gal Nagli (self-described hacker/bug bounty hunter)',
'Ian Carroll (blogger)'],
'title': "FIA Driver Categorisation Database Breach Exposes Max Verstappen's "
'Personal Information',
'type': ['data breach', 'unauthorized access', 'privilege escalation'],
'vulnerability_exploited': 'Ability to self-apply for admin privileges on the '
'FIA Driver Categorisation portal'}