Hackers briefly had access to the personal data of hundreds of racing drivers, including Max Verstappen, after an FIA security breach earlier this summer, it has been revealed.
X user galnagli has evidence to show he and two others were able to access the confidential information contained within the FIA's driver categorisation portal, such as passport numbers and personal contact details.
It is claimed that the trio decided to look into the "security of the whole ecosystem" and created a driver page on the portal, but decided to test "a theory" to see if they could become an admin for the portal, which was accepted when requested.
This change allowed galnagli and his colleagues access to the personal data of every driver stored in the system, and "for the sake of it" decided to look up that of Verstappen, the four-time F1 world champion.
They were able to access Verstappen's CV, superlicence, passport and other key personal data, but did not "download or save any passports or sensitive personal information."
The account they had set up was then deleted, as they informed the FIA of what had happened, working together to fix it "promptly."
Explaining how such a breach was possible, it was explained that the bug was something known as "mass assignment" where the server simply trusted the command sent to become an admin, without checking if the account had such access rights.
In a statement, the FIA detailed how "immediate steps" were taken to protect driver data.
"The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer," read a statement as quoted by PlanetF1.
"Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations.
"It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.
"The FIA has invested extensively in cyber security and resilience measures across its digital estate. It has put world-class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives."
The full X thread is available to read below.
Most read
Join the conversation!