Formula 1 suffers a cyberattack that exposes sensitive data of more than 7,000 drivers

The International Automobile Federation (FIA), the governing body of Formula 1 and other categories of global motorsport, has confirmed that it was the victim of a cyberattack that exposed the personal and sensitive data of more than 7,000 drivers. The incident, which occurred on June 3, came to light this week after being publicly revealed by security researchers who discovered the vulnerabilities and alerted the FIA.

‍

What data was compromised in the attack on the FIA?

The attack affected the portal of Categorization of Pilots of the FIA, a platform where superlicenses, classifications and confidential documentation of professional drivers are managed. Hackers were able to access:

• Passports and identity documents
• Curricula vitae and contact details (emails and phone numbers)
• Hash of passwords and access credentials
• Information on super licenses and pilot ratings
• Internal communications between the FIA and drivers

Among those affected is the four-time Formula 1 world champion. Max Verstappen, whose personal data could be viewed by the attackers, although they claim not to have retained sensitive information or accessed complete confidential documents.

​

Who was responsible and how did they act?

Those responsible for the hack were three security researchers known as Gal Nagli, Sam Curry And Ian Carroll, who identify themselves as Formula 1 fans and say that their objective was to expose vulnerabilities in the system and not cause harm. According to Carroll, they were able to raise their privileges from a normal user account to gaining full administrator access in less than 10 minutes.

Once inside the system, they validated that it was possible to access critical information about any pilot and decided to stop the tests immediately. They notified the FIA on June 3 of the detected faults, helping to correct the problem. The portal was immediately disconnected and restored with reinforced security measures on June 10.

​

FIA reaction and measures taken

The FIA issued an official statement from the Mexican Grand Prix confirming the incident and the corrective actions taken. “The FIA became aware of a cyberincident affecting the Driver Categorization website during the summer. Immediate steps were taken to protect pilot data and the problem was reported to the competent data protection authorities,” the agency said.

The federation claims to have invested considerably in cybersecurity and is implementing “security by design” policies on all its digital platforms. In addition, they notified all affected drivers and confirmed that no other FIA digital platform was compromised.

​

Remaining lessons and challenges for motorsport

This incident highlights the critical importance of cybersecurity in high-level sports organizations that manage sensitive information of thousands of people. The breach evidenced a lack of adequate protocols for the management of shared credentials and insufficient access controls.

The FIA case highlights the need to:

• Regular security audits and penetration tests
• Robust identity and privilege management
• Ongoing cybersecurity training for internal teams
• Collaboration with the community of ethical researchers to detect vulnerabilities before they are exploited for malicious purposes

‍

Does your organization manage sensitive data and do you want to avoid security breaches?
‍

At Apolo Cybersecurity, we perform advanced audits, penetration tests and form teams to anticipate and mitigate critical risks. Protect your reputation and the trust of your users.