NASCAR today confirmed it notified an undisclosed number of people about a March 2025 data breach that compromised their names and Social Security numbers.
“On April 3, 2025, The National Association for Stock Car Auto Racing, LLC identified and began addressing a security incident that involved unauthorized access to its network,” says NASCAR’s notice to victims. “The investigation determined that the unauthorized actor acquired certain files on the Company’s network between March 31 and April 3, 2025.”
Ransomware gang Medusa claimed responsibility for the breach on April 8, 2025 and demanded $4 million in ransom. The payment deadline expired around April 19, 2025.
NASCAR has not verified Medusa’s claim. We do not know if NASCAR paid a ransom, how many people were compromised, or how attackers breached NASCAR’s network. Comparitech contacted NASCAR for comment and will update this article if it replies.
NASCAR is offering eligible victims one year of free credit monitoring and identity theft protection through Experian.
Who is Medusa?
Medusa is a ransomware gang that first surfaced in September 2019. It debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay both to unlock their systems and for not selling or publishing stolen data.
This attack on NASCAR is Medusa’s fifth-largest to date based on number of records compromised. The other four include:
- Toyota Financial Services reported a November 2023 data breach for which Medusa demanded $8 million
- Bimbo Bakeries notified 550 people of a February 2024 breach for which Medusa demanded $6.5 million
- Moneris reported a November 2023 data breach for which Medusa demanded $6 million
- Kenya Airports Authority reported a February 2023 attack for which Medusa demanded $5 million
Medusa has taken credit for 19 confirmed attacks to date in 2025, plus 87 unconfirmed claims that haven’t been acknowledged by the targeted organizations. This week, commercial cleaner Prestige Maintenance and the town of North Providence, RI both confirmed Medusa attacks and notified victims. Yesterday, Traverse City, MI public schools said they notified 10,595 of a March 2024 breach claimed by Medusa with a $500,000 ransom.
Ransomware attacks in the USA
Comparitech researchers have logged 232 confirmed ransomware attacks on American organizations so far in 2025. Ransomware gangs have made another 1,798 attack claims that haven’t been publicly acknowledged by the targeted entities.
The average ransom across confirmed attacks is $904,000.
Ransomware attacks can both steal data and lock down computer systems. Infected organizations must then either pay a ransom or face extended downtime, permanent data loss, and putting data subjects at increased risk of fraud.
About NASCAR
The National Association for Stock Car Auto Racing (NASCAR) is one of the largest spectator sports in the USA. The privately-owned company is based in Daytona Beach, FL. NASCAR holds more than 1,500 races per year at more than 100 tracks. It employs about 5,000 people, according to external sources, and its mobile app has been downloaded more than 1.8 million times.
