In April 2025, the National Association for Stock Car Auto Racing (NASCAR) experienced a significant cybersecurity incident when the Medusa ransomware group infiltrated its network, exfiltrating over one terabyte of sensitive data. The breach, which occurred between March 31 and April 3, 2025, was identified by NASCAR on April 3, prompting an immediate response to secure systems and initiate a comprehensive investigation.
Discovery and Initial Response
Upon detecting the unauthorized access, NASCAR engaged a third-party cybersecurity firm and notified law enforcement agencies to assist in the investigation. The inquiry revealed that the attackers had accessed and extracted files containing personal information, including names and Social Security numbers. The full extent of the compromised data was determined by June 24, 2025, leading to the dispatch of notification letters to affected individuals on July 24, 2025.
Details of the Breach
The Medusa ransomware group, active since 2021, claimed responsibility for the attack, alleging the theft of approximately 1,038.70 GB of data. The stolen information reportedly includes employee names, email addresses, job titles, raceway maps, internal notes, and potentially Social Security numbers. Medusa demanded a $4 million ransom to prevent the public release of the data, setting a deadline of April 19, 2025, with an option to extend the deadline for $100,000 per day. The group also released a file tree with over 400,000 lines, showcasing the depth of the breach.
NASCAR’s Response and Support for Affected Individuals
In response to the breach, NASCAR has offered complimentary credit and identity monitoring services through Experian’s IdentityWorks for up to two years. This service includes credit monitoring across all three major bureaus, identity restoration support, and up to $1 million in identity theft insurance. Affected individuals are advised to enroll in these services promptly, regularly review credit reports for unauthorized activity, and consider placing fraud alerts or security freezes on their credit files.
Implications and Industry Context
This incident underscores the growing threat of ransomware attacks targeting major organizations. Medusa’s tactics of double extortion—encrypting data and threatening to leak it—have been employed in over 300 attacks across various industries since 2021. The exposure of sensitive information poses significant privacy risks, including potential identity theft and financial fraud. NASCAR’s breach highlights the critical need for robust cybersecurity measures and prompt incident response protocols to mitigate such threats.
