FIA Driver Portal Breach Exposed Verstappen Data

In June a trio of security researchers — Gal Nagli, Sam Curry and Ian Carroll — used a role‑elevation flaw (via injected JavaScript and an HTTP PUT request) to gain administrator access to the FIA Driver Categorisation portal and, within about 10 minutes, view Max Verstappen’s passport, licence, password hash, contact details and internal FIA communications along with data for thousands of drivers. The researchers say they had no malicious intent, did not download or retain sensitive records, deleted any test data and reported the flaw to the FIA before publicly disclosing their findings on October 23. The FIA confirmed the incident, took the categorisation site offline in June, secured the system, notified affected drivers and reported the breach to relevant data protection authorities, saying no other FIA platforms were impacted. The episode exposed systemic security weaknesses in the driver‑classification system, was fixed with the researchers’ help, and prompted the FIA to reiterate its investment in cyber‑security and ‘‘security‑by‑design’’ for future digital initiatives.