Data Breach Risks
Editorials Formula 1 Hot News IndyCar NASCAR Cup Series

NASCAR’s RFK Racing Sued in Class-Action Over Data Breach: A Stark Warning for All Motorsports

Posted by AR1 staff

In a growing wave of cybersecurity fallout rippling through the high-octane world of auto racing, Roush Fenway Keselowski Racing (RFK Racing)—one of NASCAR’s most storied teams—has become the latest target of a federal class-action lawsuit stemming from a significant data breach. The incident, which compromised deeply personal information for over 13,000 individuals, underscores the vulnerabilities lurking in the digital underbelly of fan engagement and operations in motorsports.

–by Mark Cipolloni–

As teams across the spectrum—from NASCAR powerhouses to Formula 1 squads and IndyCar outfits—ramp up data collection for everything from ticket sales to loyalty programs, this case serves as a flashing red light on the track.

The breach occurred in May 2025, when cybercriminals infiltrated RFK Racing’s systems in Concord, North Carolina, exposing a trove of sensitive data belonging to 13,632 people. Among the stolen records were government-issued identification numbers, passport details, Social Security numbers, and even medical information—details that could fuel identity theft, financial fraud, or worse for years to come. It wasn’t until September 2025—four months later—that the team finally notified those affected, a delay that has ignited accusations of negligence.

The lawsuit, filed in federal court by Wyatt Cowley, a former RFK Racing employee from South Beloit, Illinois, paints a damning picture of the team’s data handling practices. Cowley alleges that RFK Racing “failed to implement reasonable cybersecurity measures” and exhibited “lax cybersecurity and poor data controls,” leaving victims exposed to prolonged risks without timely warnings. The proposed class-action suit seeks damages on behalf of all impacted individuals, potentially ballooning into millions as more victims come forward.

RFK Racing, which has fielded NASCAR Cup Series cars since 1988 and boasts drivers like Chris Buescher, has not publicly commented on the litigation, but the case is already drawing parallels to similar breaches hitting other businesses.

This isn’t an isolated pit stop in the cybersecurity lane for NASCAR. Just months earlier, in March 2025, the sport’s governing body itself disclosed a separate cyberattack that exposed Social Security numbers of an undisclosed number of customers, prompting notifications across multiple states. While RFK’s breach appears tied to internal systems rather than fan-facing platforms, the overlap highlights a sector-wide blind spot: the rush to digitize fan experiences—from app-based merchandise sales to personalized race-day emails—without bulletproof safeguards.

A Blaring Siren for Auto Racing Teams and Series: The High Cost of Data Complacency

To every auto racing team and series—whether you’re a Formula 1 constructor chasing podiums in Monaco, an IndyCar powerhouse engineering ovals in Indianapolis, a NASCAR outfit thundering down Daytona, or any of the global circuits in between—this breach isn’t just RFK’s headache.

It’s a prophetic flare gun signaling the wreckage that awaits if you don’t lock down your fan data vaults today. Here’s what a similar catastrophe could unleash on your operation, backed by the harsh realities unfolding right now:

– Legal Landmines and Skyrocketing Liabilities: Like RFK, you could face class-action suits alleging delayed notifications and inadequate protections, violating laws like the U.S. Federal Trade Commission’s safeguards rule or state-specific mandates (e.g., California’s CCPA). In Europe, where Formula 1 and other series draw massive crowds, GDPR violations could trigger fines up to 4% of global annual revenue—potentially hundreds of millions for a top team. Plaintiffs aren’t just seeking compensation; they’re gunning for punitive damages to cover lifelong identity theft monitoring, credit freezes, and fraud remediation.

– Financial Pit Stops That Drain the Tank: Beyond lawsuits, expect regulatory probes from bodies like the FTC or state attorneys general, piling on investigation costs and mandated upgrades. RFK’s 13,632 victims alone could translate to settlement payouts in the seven figures, not counting legal fees. For series like IndyCar or NASCAR, which aggregate fan data across events, a breach could cascade into multi-state filings, eroding sponsorship dollars as brands flee the reputational skidmark.

– Fan Trust in the Rearview Mirror: Motorsports thrives on passion—loyal fans who buy tickets, merch, and premium streaming passes. A breach erodes that bond overnight. Imagine Formula 1 enthusiasts ditching their F1 TV subscriptions after their payment info leaks, or NASCAR die-hards boycotting tracks over exposed medical records from health screenings at events. Rebuilding trust means costly PR campaigns, free identity protection offers (as NASCAR did in its own breach), and potentially lost revenue from ticket sales dipping 10-20% in the fallout year.

– Operational Chaos on the Grid: Exposed data isn’t just personal—it’s operational. Hackers could leverage stolen SSNs or emails for phishing attacks targeting team staff, disrupting race prep or sponsor negotiations. For global series like Formula 1, cross-border data flows amplify risks under varying privacy regimes, turning a U.S.-based breach into an international nightmare.

The message is unequivocal: Audit your CRM systems, fan databases, and third-party vendors now. Implement multi-factor authentication, encrypt everything, and conduct regular penetration testing. Delay notifications? That’s not just sloppy—it’s lawsuit bait. RFK’s saga proves that even championship-caliber teams aren’t immune; in the data-driven fast lane of modern racing, one breach can spin you into the wall.

As the gavel falls in this case, the entire motorsports paddock should be tuning its engines for defense. The checkered flag waves for prevention, not reaction.