The National Association for Stock Car Auto Racing (NASCAR) is notifying an unknown number of individuals that their personal information was stolen in an April 2025 cyberattack.
The incident, the company says, was identified on April 3 and involved unauthorized access to systems on its network.
NASCAR immediately activated its response plan, retained a cybersecurity firm to help it investigate, and notified law enforcement.
The investigation determined that hackers had access to NASCAR’s network between March 31 and April 3, 2025, and that they exfiltrated files containing personal information, including names and Social Security numbers.
The affected individuals are provided with one or two years of free credit and identity monitoring services, the company notes in regulatory filings with the Maine, Massachusetts, and New Hampshire Attorney General’s Offices.
NASCAR also said it began sending written notification letters to the impacted individuals, to inform them of the incident, but did not share details on the number of impacted individuals, nor on the type of cyberattack it fell victim to.
In April, however, the Medusa ransomware group added NASCAR to its Tor-based leak site, claiming the theft of roughly 1 terabyte of data and demanding a $4 million ransom for the return of the stolen information.
NASCAR has not confirmed the attackers’ claims. SecurityWeek has emailed the company for a statement on the matter and will update this article if it responds.
Founded in 1948, NASCAR is a private company that owns 14 major racing venues, oversees stock car racing in the US, and runs three racing series.
Related: Allianz Life Data Breach Impacts Most of 1.4 Million US Customers
Related: Marketing, Law Firms Say Data Breaches Impact Over 200,000 People
Related: Qantas Confirms 5.7 Million Impacted by Data Breach
Related: Nippon Steel Subsidiary Blames Data Breach on Zero-Day Attack
