FIA Confirms Data Breach Exposed F1 Drivers' Personal Information

Hackers accessed driver records in minutes

The FIA disclosed that a vulnerability in its Driver Categorisation System - a database used for sports car and endurance racing - was exploited by two independent researchers who managed to gain administrative privileges in under ten minutes. The portal, which lists professional and amateur drivers eligible for GT and endurance events, also contained profiles for Formula 1 drivers who have competed in sports car categories earlier in their careers.

According to the researchers, the exploit was alarmingly simple: they registered a new account and were able to escalate it to an administrator role without verification. Once inside, they reportedly accessed files belonging to Max Verstappen, Lando Norris, Fernando Alonso, and Nico Hülkenberg, among others.

Details of the exposed information

The researchers - Gal Nagli and Ian Carroll: posted on X (formerly Twitter) explaining that the flaw exposed highly sensitive data. Carroll stated that within minutes they could see “passport details, personal contact information, FIA correspondence, licensing documents, internal communications, and committee discussions on driver performance.”

“We stopped testing after realising it was possible to access Verstappen’s passport, résumé, license, password hash, and other personally identifiable information,” Carroll wrote in a follow-up blog post. “This data was accessible for all F1 drivers listed in the categorisation system, alongside confidential FIA operational data.”

Both researchers stressed that no data was downloaded or shared publicly. They immediately informed the FIA about the exposure and deleted any temporary access credentials used during testing.

FIA’s response

In a statement to international media outlets, an FIA spokesperson confirmed the breach: “The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer. Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data-protection authorities in accordance with our obligations.”

The governing body added that “a small number of drivers” had been directly impacted and had already been notified. No other FIA digital platforms were affected.

“The FIA has invested extensively in cybersecurity and resilience measures across its digital estate,” the spokesperson said. “World-class security frameworks are in place to protect our stakeholders, and all new digital systems now adopt a security-by-design approach.”

Broader implications for data protection in sports

The breach highlights the growing intersection of sports administration and digital risk. Athlete management platforms increasingly hold sensitive biometric, licensing, and identity data that could be valuable to attackers.

Cybersecurity experts warn that as sports federations expand digital engagement - through cloud-based registration, performance analytics, and sponsorship systems - their attack surface widens dramatically.

“It’s a reminder that every connected database, no matter how niche, is part of the identity ecosystem,” said NeuraCyb analysts. “A vulnerability in a registration portal can easily cascade into credential theft, social engineering, or reputational damage for athletes and governing bodies alike.”

Looking ahead

The FIA’s swift response and transparency have been widely praised, but the incident underscores the urgency for federations and event organisers to adopt modern cybersecurity governance. Experts recommend mandatory penetration testing, strict role-based access controls, and continuous monitoring of authentication systems.

For the affected drivers, the fallout appears limited - yet the breach is a clear warning: even in the fast-paced world of Formula 1, the greatest vulnerabilities can sometimes be found off the track.