Earlier this summer, hackers briefly got access to the personal information of hundreds of racing drivers, including four-time Formula 1 world champion Max Verstappen, after a security breach in the FIA’s driver categorisation portal. The breach allowed them to see sensitive data such as passports, driver licences, and personal contact details.

X user Nagli, who calls himself “Hacker” and “Head of Threat Exposure at @wiz_io”, revealed on X that he, along with Sam Curry and Ian Carroll, were testing what they described as “the security of the whole ecosystem.” They created a driver page on the portal and decided to test a theory to see if they could become an admin for the system. “It took us 10 minutes using one simple security flaw,” Nagli wrote on X. “We were looking at the security of the whole ecosystem. That’s how we stumbled upon a severe vulnerability in a critical portal managed by the FIA that was reported and fixed in less than 24 hours.”

Once they became admins, Nagli and his colleagues were able to access the personal data of every driver in the system. “We found a way to access Max Verstappen’s passport, driver’s licence, and personal information along with every other Formula 1 driver’s sensitive data,” he said. However, he stressed that they did not download or save any passports or sensitive information. “All test data was deleted. No driver information was compromised by us,” he added. These comments were reported by PlanetF1.

The trio worked with the FIA to resolve the issue and reported the flaw immediately. “We worked with the FIA to promptly fix the issue. Shoutout to their team for the rapid response and taking the matter seriously,” Nagli said.

An FIA spokesperson told PlanetF1 to the matter: “Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations. It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.”

The cause of the breach was explained as a bug called “mass assignment,” where the system trusted a request to become an admin without checking if the account had permission. The FIA added that it has invested extensively in cybersecurity and resilience measures across its digital estate and implements a policy of security-by-design in all new digital initiatives.

This is not the first time the FIA has faced a hack. Last year, phishing attacks allowed unauthorised access to personal data in two FIA email accounts. At the time, the FIA told TechRadar that it took all actions to stop the access and notified the relevant French and Swiss data protection authorities.