NASCAR reveals major data breach exposing sensitive personal information

The National Association for Stock Car Auto Racing announced that it experienced a major data security breach earlier this year, compromising the sensitive personal information of individuals linked to the organisation.

 

Based in Daytona Beach, Florida, the National Association for Stock Car Auto Racing (is the foremost authority and governing body for stock car racing in the United States. As a privately owned entity, it manages and supervises a range of racing events, including the NASCAR Cup Series, the nation’s premier stock car racing championship.

 

In a data security incident notice filed with the Office of Maine Attorney General, NASCAR said that on April 3, it detected suspicious activity within its internal network. The organisation immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“The investigation determined that the unauthorised actor acquired certain files on our network between March 31 and April 3, 2025,” NASCAR said.

 

The compromised data included names and other personal information including Social Security numbers. The association is yet to share the number of affected individuals with the Maine state regulator.

 

“We sincerely apologise for any concern or inconvenience this incident may cause. We have taken, and will continue to take, steps to enhance the security of our network environment,” NASCAR added.

 

NASCAR has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered one year of complimentary identity protection and credit monitoring services through Experian to all affected individuals.

 

 

While NASCAR did not disclose details of the security incident, the Medusa ransomware group claimed responsibility for the cyber attack and listed the organisation as a victim on its data leak site. The group said it had stolen over 1.3TB of confidential data from NASCAR and gave the organisation 10 days to meet its ransom demand. 

 

NASCAR did not comment on Medusa’s claims or its decision regarding the ransom payment.