The FIA, the governing body of Formula 1 and motorsport, suffered a data breach on its Driver Categorisation website in June 2024, exposed by security researcher Ian Carroll. Hackers exploited vulnerabilities to access sensitive personal information of nearly 7,000 drivers, including Max Verstappen, the four-time world champion. Compromised data included passport details, résumés, driver’s licenses, password hashes, and personally identifiable information (PII). While the hackers (including Carroll) claimed they did not retain or misuse the data and reported the breach immediately, the incident revealed critical flaws in FIA’s cybersecurity.The FIA took the affected website offline on June 3, implemented a fix within a week, and notified impacted drivers and data protection authorities. Despite no evidence of data theft or further exploitation, the breach exposed internal FIA operations alongside driver records, raising concerns over reputational damage and regulatory compliance. The FIA emphasized its investment in ‘world-class’ cybersecurity measures, but the incident highlighted vulnerabilities in handling high-profile athlete data. The breach did not affect other FIA digital platforms, but the exposure of elite drivers’ confidential documents—including a global sports icon like Verstappen—intensified scrutiny over the organization’s data protection protocols.
Source: https://www.sportbible.com/f1/max-verstappen-formula-1-fia-grand-prix-hacker-190560-20251023
TPRM report: https://www.rankiteo.com/company/federation-internationale-de-l-automobile
"id": "fed5892858102325",
"linkid": "federation-internationale-de-l-automobile",
"type": "Breach",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '7,000 drivers (including F1 '
'drivers with categorisation)',
'industry': ['motorsport', 'automotive regulation'],
'location': 'Paris, France (HQ)',
'name': "Fédération Internationale de l'Automobile "
'(FIA)',
'type': 'governing body'}],
'attack_vector': ['vulnerability exploitation', 'web application compromise'],
'customer_advisories': ["direct notification to 'small number of drivers "
"impacted'"],
'data_breach': {'data_exfiltration': ['accessed but not retained or '
'exfiltrated by hackers'],
'file_types_exposed': ['PDF (passports, licenses)',
'documents (résumés)',
'database records (PII)'],
'number_of_records_exposed': '7,000 (all drivers in the '
'categorisation system)',
'personally_identifiable_information': ['full names',
'passport numbers',
'license details',
'contact information',
'employment history'],
'sensitivity_of_data': 'high (includes government-issued IDs '
'and authentication credentials)',
'type_of_data_compromised': ['PII',
'passport scans',
'résumés',
'license details',
'password hashes',
'internal operational data']},
'date_detected': '2024-06-03',
'date_publicly_disclosed': '2024-10-22',
'date_resolved': '2024-06-10',
'description': "Hackers compromised the FIA's Driver Categorisation website, "
'exposing sensitive personal information of nearly 7,000 '
'drivers, including four-time F1 world champion Max '
'Verstappen. The breach was discovered and reported by '
'security researcher Ian Carroll in June 2024, with the FIA '
'implementing fixes shortly after. No sensitive data was '
'retained by the hackers, but the incident highlighted '
"vulnerabilities in the FIA's systems.",
'impact': {'brand_reputation_impact': ['negative publicity',
'perceived lack of security'],
'data_compromised': ['passport details',
'résumé',
'license information',
'password hashes',
'personally identifiable information (PII)',
'internal FIA operations data'],
'downtime': ['2024-06-03 to 2024-06-10 (website taken offline)'],
'identity_theft_risk': ['high (due to PII exposure)'],
'legal_liabilities': ['potential GDPR or data protection '
'violations'],
'operational_impact': ['temporary suspension of Driver '
'Categorisation services',
'embarrassment for FIA'],
'systems_affected': ['FIA Driver Categorisation website']},
'investigation_status': 'completed (fixes implemented, no ongoing '
'investigation mentioned)',
'lessons_learned': ['importance of proactive vulnerability testing',
'need for real-time monitoring of web applications',
'rapid response protocols for data breaches'],
'motivation': ['responsible disclosure', 'ethical hacking'],
'post_incident_analysis': {'corrective_actions': ['comprehensive fix deployed',
'investment in '
'cybersecurity resilience '
'measures',
'world-class data security '
'enhancements'],
'root_causes': ['unpatched vulnerabilities in '
'Driver Categorisation website',
'inadequate access controls']},
'recommendations': ['regular third-party security audits',
'implementation of multi-factor authentication for '
'sensitive systems',
'enhanced encryption for stored PII',
'public transparency in breach disclosures'],
'references': [{'date_accessed': '2024-10-22', 'source': 'RaceFans article'},
{'date_accessed': '2024-10-22',
'source': "Ian Carroll's disclosure statement"}],
'regulatory_compliance': {'regulations_violated': ['potential GDPR (EU '
'General Data Protection '
'Regulation) '
'non-compliance'],
'regulatory_notifications': ['reported to '
'applicable data '
'protection '
'authorities']},
'response': {'communication_strategy': ['notification to affected drivers',
'statement to RaceFans media',
'reporting to data protection '
'authorities'],
'containment_measures': ['website taken offline on 2024-06-03'],
'enhanced_monitoring': ['investment in cybersecurity and '
'resilience measures post-incident'],
'incident_response_plan_activated': True,
'recovery_measures': ['website restored after fixes'],
'remediation_measures': ['comprehensive fix implemented within '
'one week',
'vulnerabilities addressed']},
'stakeholder_advisories': ['notification to affected drivers',
'public statement via RaceFans'],
'threat_actor': ['security researcher (Ian Carroll)',
'two other unnamed hackers'],
'title': 'FIA Driver Categorisation Website Data Breach Exposing Max '
"Verstappen's Personal Information",
'type': ['data breach', 'unauthorized access']}