Le Mans Endurance Management, operating the FIA World Endurance Championship’s website, exposed the data of hundreds of drivers by leaking their IDs and drivers’ licenses, the Cybernews research team has discovered.
On June 16th, our researchers came across two misconfigured, meaning publicly exposed, Google Cloud Storage buckets. Both combined, they contained over 1.1 million files. Among them were hundreds of passports, government-issued IDs, and drivers’ licenses belonging to FIA World Endurance Championship (FIA WEC) drivers.
Introduced in 2012, FIA WEC features eight endurance races across the world, including its cornerstone stage – 24 hours at Le Mans. Hundreds of drivers and top car brands, including Cadillac, Ferrari, and Porsche, are competing in the prestigious race with three stages left to complete.
FIA WEC data leak
The Cybernews research team discovered two publicly exposed storage buckets containing 1.1 million files. Public exposure of such databases means that anyone could easily access sensitive data and abuse it. Namely, the leaked data included:
- Drivers’ licenses
- Government-issued IDs
The exposed documents belong to elite racers of the endurance championship. Many are longtime participants in the race, with some having even won various stages of the competition. In an abundance of caution, we’re choosing not to disclose their identities.
The exposed storage buckets belong to the fiawec (.) com website, managed by Le Mans Endurance management.
Following the correspondence with Cybernews, the exposed datasets were secured and are not leaking data at the time of writing. However, an incident where personal data is disclosed without authorisation is a violation of the General Data Protection Regulation (GDPR).
Cybernews has reached out to both the company and local data protection authority (CNIL in France) for an official comment. CNIL said it had “not received any complaints or reports about this case,” and we’ve yet to receive a response from the company.
What can thieves do with passports?
Whether it’s a physical document or just a digital copy, one’s passport or driver’s license is of great value to a thief.
With such a trove of personal information, a criminal could impersonate victims, essentially stealing their identities and running wild with them.
“They may engage in fraudulent activities, create bank accounts, apply for loans. Furthermore, cybercriminals may attempt to acquire unauthorized access to bank accounts or credit cards and use stolen identities to conduct fraudulent transactions, resulting in financial loss and harm to victims’ credit scores.
Criminals might also exploit the information to craft highly personalized and targeted attacks against the drivers whose information was exposed in the leak.
Recommendations to Le Mans Endurance Management
- A post-incident analysis should be conducted.
- Identify the source of the leak.
- Determine any vulnerabilities or shortcomings in the systems or procedures that led to the incident.
- Use public access prevention to restrict access to the bucket and its contents.
- Monitor access logs retrospectively to determine whether data was stolen.
- Affected drivers should be informed in the case of data theft.
- Affected drivers should be advised on identity protection.
- The company should up its security game to prevent leaks in the future.