The National Association for Stock Car Auto Racing (NASCAR) has disclosed a data breach following a network intrusion that occurred between March 31 and April 3, 2025.
Although the organization did not disclose many details about the breach, it may be connected to a broader ransomware incident earlier this year involving the notorious Medusa group.
NASCAR, headquartered in Daytona Beach, Florida, is the governing body for stock car racing in the United States and owns 16 major motorsport facilities nationwide. The organization employs over 8,700 people and plays a central role in American motorsports culture and business.
According to the breach notification submitted to the Maine Attorney General's office, NASCAR detected unusual activity on April 3 and immediately launched an investigation with the assistance of a specialized cybersecurity firm. The company determined that threat actors had accessed and exfiltrated data files from their internal network during a three-day window. It wasn't until June 24, 2025, that investigators confirmed these files contained personally identifiable information, specifically names and Social Security numbers.
The notice shared with the authorities does not list all the compromised data types, so it is unclear precisely what was exposed to the cybercriminals.
NASCAR began notifying affected individuals on July 24, offering them one year of free credit and identity monitoring services through Experian. The organization has also set up a toll-free call center to assist with inquiries related to the incident.
Although NASCAR has not disclosed the total number of individuals impacted, this disclosure follows a claim by the Medusa ransomware gang in April 2025 that they had breached the organization's network. The gang claimed to have stolen over one terabyte (1,038.70 GB) of data and demanded a $4 million ransom. The entry, initially listed on Medusa's leak site, has since been removed, an action that sometimes signals either negotiations, payment, or abandonment of the extortion attempt.
In its notification to affected individuals, NASCAR emphasized that it had taken immediate steps to secure its systems and was implementing additional security enhancements. While the company did not provide details on the nature of the compromised files or how many people were affected, the Medusa claim suggests that the scale may be far broader than officially acknowledged.
Leave a Reply