F1's governing body, the FIA, has confirmed one of its driver information databases was subject to a breach that let "hackers" access Max Verstappen's personal information in just 10 minutes.
F1 drivers race under a super license but registration on the FIA Driver Categorisation website allows them to race in sports car events. A group of bloggers have revealed on X they accessed the system, which lists any driver who has taken part in those events across the motor racing world at any stage of their careers.
Verstappen, Lando Norris, Fernando Alonso and Nico Hülkenberg are among the Formula 1 drivers in the system with a background in that area.
Gal Nagli, whose X profile lists him as a hacker and bug bounty hunter, and blogger Ian Carroll outlined through a series of posts how they were able to access the portal by simply applying to be an admin.
The profile of Verstappen, who recently made his endurance sports car racing debut at the Nurburgring, was an immediate point of focus.
Carroll and Nagli were able to find the four-time world champion's "passport, his personal contact, his FIA correspondence, his license documents." They also found "internal communications," "committee discussions about driver performance, private evaluations, and confidential decision-making processes."
A blog post on Carroll's website added: "We stopped testing after seeing that it was possible to access Max Verstappen's passport, resume, license, password hash, and PII. This data could be accessed for all F1 drivers with a categorization, alongside sensitive information of internal FIA operations."
He and Nagli then contacted the FIA to alert the governing body to the flaws in the system.
Carroll added: "We did not access any passports / sensitive information and all data has been deleted."
The FIA has confirmed the breach has been addressed since. An FIA spokesperson told ESPN: "The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer. Immediate steps were taken to secure drivers' data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA's obligations.
"It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted in this incident.
"The FIA has invested extensively in cyber security and resilience measures across its digital estate. It has put world-class data security measures in place to protect all its stakeholders and implements a policy of security-by-design in all new digital initiatives."