NASCAR has officially disclosed a data breach resulting from a cyberattack that occurred earlier this year, confirming that Social Security numbers were among the compromised data. The breach is now linked to the Medusa ransomware group, a prolific threat actor known for targeting critical infrastructure and major organizations worldwide.
The National Association for Stock Car Auto Racing—commonly known as NASCAR—stated that its IT team detected the intrusion on April 3, 2025. A forensic investigation launched shortly thereafter revealed that unauthorized access had occurred over a span of four days, between March 31 and April 3.
“The investigation determined that the unauthorized actor acquired certain files on the Company’s network between March 31 and April 3, 2025,” NASCAR said in its breach notification.
By late June, the company confirmed that the accessed files included Social Security numbers. The exact number of affected individuals has not been disclosed, but breach filings have been submitted in Maine, New Hampshire, and Massachusetts.
Founded in 1948 and based in Daytona Beach, NASCAR organizes over 1,500 racing events across the United States annually. On July 24, the company began sending notification letters to victims. Impacted individuals are being offered 12 months of complimentary credit monitoring.
Medusa Ransomware Group Behind NASCAR Breach
The breach is reportedly tied to the Medusa ransomware gang, which listed NASCAR on its leak site in April with a demand for $4 million in ransom. NASCAR did not respond to inquiries in April when the listing was first published, nor did it issue any comments after the breach became public. It remains unclear whether any stolen data has been published.
Medusa claimed to have exfiltrated gigabytes of sensitive company data and set a ransom deadline for April 19. The FBI and several U.S. federal agencies had issued alerts in March about Medusa’s activity, warning that the group had conducted over 300 attacks on critical infrastructure.
The group has a long track record of high-impact cyberattacks, including:
- The breach of Minneapolis Public Schools, exposing data for over 100,000 individuals.
- Attacks on government entities in the Philippines and France.
- Targeting Bell Ambulance, affecting more than 100,000 people—one of this year’s largest confirmed breaches.
- Disruption in the Pacific island nation of Tonga.
- Breaching a Canadian tech company backed by two major banks.
According to Rebecca Moody, Head of Data Research at Comparitech:
“Medusa is among the top 10 most prolific ransomware strains this year so far, with 106 attacks claimed and 19 that have been confirmed.”
Law enforcement agencies have been notified, and NASCAR has retained a cybersecurity firm to assist in the ongoing investigation.
