Autobayng News Team
Security researchers have discovered vulnerabilities in an FIA website which contained sensitive personal information and documents relating to drivers including world champion Max Verstappen.
Ian Carroll, a member of the trio who examined the site, revealed the breach in a blog post on Wednesday. He said the FIA addressed the vulnerabilities in its systems immediately after he and two other researchers contacted them in June.
The FIA confirmed the breach and said it had taken steps to secure drivers’ data. It has contacted the drivers involved as well as the relevant data protection authorities.
The researchers stated they neither accessed nor retained sensitive information relating to anyone found through the hack and reported its findings to the FIA immediately.
The FIA’s Driver Categorisation website was compromised through the use of an ordinary user account. The researchers took advantage of vulnerabilities in the system to gain administrator privileges. This gave them the ability to access sensitive personal information of any driver they chose. “We seemed to have full admin access to the FIA driver categorisation website,” they noted.
“We stopped testing after seeing that it was possible to access Max Verstappen’s passport, résumé, license, password hash and PII [personally identifiable information],” Carroll wrote. “This data could be accessed for all F1 drivers with a categorisation, alongside sensitive information of internal FIA operations. We did not access any passports [or] sensitive information and all data has been deleted.”
The FIA’s Driver Categorisation website contains the details of almost 7,000 drivers. The governing body responded to the breach in a statement supplied to RaceFans.
Advert | Become a RaceFans supporter and
“The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer,” it said. “Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations.
“It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.”
According to the researchers the FIA took the website offline on June 3rd, the same day they were notified of the breach. They supplied details of a “comprehensive fix” one week later.
The FIA says it has “invested extensively in cyber security and resilience measures across its digital estate” and “has put world-class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives.”
Miss nothing from RaceFans
Get a daily email with all our latest stories – and nothing else. No marketing, no ads. Sign up here:
Formula 1
- No more ‘repercussions’ for Norris: McLaren change stance after Austin collision
- Bearman feared he’d triggered ban with Antonelli incident in sprint race
- Every team except Sauber to run rookie driver during first practice in Mexico
- “What are you doing to me, guys, honestly?”: Ocon frustrated by Haas’s US GP strategy
- Verstappen has shown McLaren’s drivers how to beat him. But are they ruthless enough?
