NASCAR, the premier organization in American motorsports, has confirmed it was the victim of a sophisticated ransomware attack orchestrated by the notorious cybercriminal group Medusa. The breach, which initially went undetected until June 24, 2025, resulted in the exfiltration of more than one terabyte of sensitive data from NASCAR’s internal systems.
Scope and Impact of the Breach
According to cybersecurity sources, the stolen data includes:
- Names and Social Security numbers of individuals affiliated with NASCAR
- Confidential racetrack maps and facility floor plans
- Employee directories, with names, job titles, and email addresses
- Credential-related information potentially exposing operational vulnerabilities
- Internal business documents and contracts
Medusa subsequently demanded a $4 million ransom, threatening to publicly release the data if their demands were not met within 10 days. To prove the extent of their infiltration, Medusa published select sample files—including internal documents and operational records—on a dark web leak site.
NASCAR’s Response
Following widespread media coverage and reports on the breach, NASCAR acknowledged the incident and has taken several measures in response. Impacted individuals have been directly notified and offered one year of complimentary credit monitoring and identity theft protection services through Experian.
To date, NASCAR has neither confirmed nor denied whether the ransom demand was met.
