Max Verstappen after United States Grand Prix win. Picture: RacePictures

Verstappen’s data hacked in FIA website breach: federation reacts

10:11, 23 Oct

Updated: 11:21, 23 Oct

byDrew Murphy

An FIA website containing sensitive information and documents relating to drivers, including Max Verstappen, has been hacked.

Whilst this was not a malicious hacking attempt, the hackers were able to access sensitive personal information of any driver they chose.

The FIA’s Driver Categorisation website contains the details of almost 7,000 drivers.

The hackers, who breached the website in June, have stated they neither accessed nor retained sensitive information relating to anyone found through the hack and reported their findings to the FIA immediately.

Max Verstappen post-race at the United States Grand Prix -Photo: RacePictures

In a statement shared with GPblog, an FIA spokesperson said: “The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer.

"Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations.

“It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.

“The FIA has invested extensively in cyber security and resilience measures across its digital estate. It has put world-class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives.”

fia-chairman-mohammed-ben-sulayem-at-austin

FIA president Mohammed Ben Sulayem. Picture: RacePictures

How did they do it?

The hackers were able to compromise the FIA’s Driver Catergorisation website by registering an ordinary user account, then took advantage of vulnerabilities to gain administrator privileges.

Security researcher Ian Carroll revealed: “We stopped testing after seeing that it was possible to access Verstappen’s passport, résumé, license, password hash, and PII [personally identifiable information.

"This data could be accessed for all F1 drivers with a categorisation, alongside sensitive information of internal FIA operations.

"We did not access any passports [or] sensitive information, and all data has been deleted.”

The FIA have taken steps to address the vulnerabilities in their system and to secure drivers’ data.

They have also contacted the drivers involved, and the relevant data protection authorities have been updated.

The website went offline on June 3rd the same day they were notified of the breach, and remained offline whilst the FIA completed a "comprehensive fix".

GPblog's F1 Paddock Update

Want to stay up-to-date with what happens in the F1 paddock? Then GPblog's F1 Paddock Update video is the perfect way to do it. Subscribe to GPblog's YouTube channel and turn on notifications to never miss the latest episodes.