The National Association for Stock Car Auto Racing (NASCAR) has confirmed that a ransomware attack earlier this year resulted in the theft of sensitive personal data, including names and Social Security numbers.

The breach, detected on April 3, 2025, was the result of unauthorized access to NASCAR’s network. Following the discovery, NASCAR immediately launched its incident response protocols, partnered with a cybersecurity firm for investigation, and informed relevant law enforcement authorities.

The investigation revealed that threat actors had access to internal systems from March 31 to April 3, during which they exfiltrated files containing personally identifiable information (PII).

According to official filings with the Attorneys General of Maine, Massachusetts, and New Hampshire, affected individuals are now being offered 12 to 24 months of complimentary credit and identity monitoring services.

While NASCAR has begun issuing written notifications to those impacted, it has not publicly disclosed how many individuals were affected, nor has it confirmed the specific method or ransomware strain used in the attack.

However, in April, the Medusa ransomware group claimed responsibility by listing NASCAR on its Tor leak site, alleging they had stolen approximately 1 terabyte of data and demanding a $4 million ransom for its return. NASCAR has yet to confirm the validity of these claims.

Founded in 1948, NASCAR is a major player in American motorsports, owning 14 premier racing facilities and managing several stock car racing series across the United States.

Industry Takeaway

This breach highlights the growing threat landscape surrounding critical infrastructure and entertainment sectors, underscoring the importance of:

• Proactive threat detection and monitoring
• Swift and transparent incident response
• Protecting sensitive data through encryption, access controls, and zero trust architectures
• Investing in employee training to minimize human error vulnerabilities

As ransomware groups increasingly target high-profile organizations, the importance of robust cybersecurity posture and regulatory compliance cannot be overstated.

Source: https://www.securityweek.com/nascar-confirms-personal-information-stolen-in-ransomware-attack