FIA Driver categorisation website vulnerability exposes data of nearly 7,000 FIA drivers
Learn More
The Fédération Internationale de l'Automobile (FIA) has confirmed a vulnerability and white-hat exposure of its Driver Categorisation website that exposed sensitive personal information of racing drivers, including four-time Formula 1 world champion Max Verstappen.
The security flaw was discovered in June 2025 by three independent security researchers, including one identified as "galnagli" on Twitter. The researchers created an ordinary user account on the FIA's Driver Categorisation website as part of their investigation into the security of the motorsport governing body's digital ecosystem.
During their testing, they identified a security weakness where the server accepts commands to elevate user privileges without properly verifying whether the account has legitimate authorization for such access rights. The researchers were able to request and receive full administrator privileges on the platform, granting them unrestricted access to the personal data of any driver registered in the system.
The researchers tested the extent of the vulnerability by accessing the records of Max Verstappen, one of the most prominent drivers in Formula 1. They discovered they could view highly sensitive personal information, including Verstappen's passport, curriculum vitae, racing superlicence, password hash, and other personally identifiable information (PII). The researchers noted that they stopped testing after seeing that it was possible to access Max Verstappen's data. The same data could be accessed for all F1 drivers with a categorisation, alongside sensitive information of internal FIA operations.
The FIA's Driver Categorisation website contains detailed records for nearly 7,000 drivers from various racing categories worldwide. The vulnerability potentially exposed the sensitive personal data of all drivers registered within this system.
FIA claims that only "a small number of drivers" were directly impacted by the incident.
The researchers claim that they neither accessed, downloaded, nor retained any sensitive information beyond what was necessary to demonstrate the vulnerability's severity. "We did not access any passports [or] sensitive information and all data has been deleted," wrote researcher Carroll in a blog post published on Wednesday, October 23, 2025. The account they created for testing purposes was subsequently deleted, and the researchers contacted the FIA to report their findings and collaborate on implementing security fixes.
According to the researchers, the governing body took the Driver Categorisation website offline on June 3, 2025, the same day they were notified of the breach. Within one week, on approximately June 10, 2025, the FIA provided details of a "comprehensive fix" to address the vulnerability. The organization confirmed these actions in an official statement: "The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer. Immediate steps were taken to secure drivers' data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA's obligations".
