NASCAR confirms data breach after March cyberattack

NASCAR warned customers this week of a data breach caused by a cyberattack in March.

The incident exposed the Social Security numbers of an unknown number of victims. In filings with regulators in Maine, New Hampshire and Massachusetts, the company declined to say how many people were affected.

NASCAR, an acronym for the National Association for Stock Car Racing, said its IT team identified a cyberattack on April 3 and began an investigation.

Law enforcement was notified and a cybersecurity firm was hired to look into the attack.

“The investigation determined that the unauthorized actor acquired certain files on the Company’s network between March 31 and April 3, 2025,” NASCAR said.

In late June, the company determined that Social Security numbers had been exposed. 

Founded in 1948, the Daytona Beach-based company operates as an auto racing sanctioning body that organizes more than 1,500 races across the U.S. each year.

Breach notification letters were sent out to victims on July 24, and victims are being given one year of credit monitoring services. 

NASCAR did not respond to requests for comment in April when the Medusa ransomware gang added the company to its leak site and demanded a $4 million ransom. The company also did not respond to inquiries on Friday.

Medusa claimed to have exfiltrated gigabytes of company data and set a deadline of April 19 for ransom payment. It is unclear if the data was published.

In March, the FBI and other U.S. agencies warned that Medusa was behind more than 300 cyberattacks on critical infrastructure organizations.

For more than four years, the group has terrorized governments and companies — gaining notoriety for an attack on Minneapolis Public Schools that exposed troves of sensitive student documents impacting more than 100,000 people. 

In addition to attacks on the Pacific island nation of Tonga, it has targeted municipalities in France and government agencies in the Philippines, as well as a technology company created by two of Canada’s largest banks. 

Rebecca Moody, head of data research at the cybersecurity firm Comparitech, said Medusa is among the top 10 most prolific ransomware strains this year so far, with 106 attacks claimed and 19 that have been confirmed. 

The group’s attack on Bell Ambulance affecting more than 100,000 people is one of this year’s biggest data breaches, she said.