Major NASCAR race team is latest company hit with lawsuit following data breach
AI-generated summary reviewed by our newsroom.
- RFK Racing disclosed a breach affecting 13,632 people; plaintiffs seek class action.
- Compromised data include IDs, passports, Social Security and medical records.
- RFK delayed notice months; suit alleges lax cybersecurity and poor data controls.
NASCAR’s Roush Fenway Keselowski Racing is the latest business in the Charlotte region to find itself part of a proposed federal class-action lawsuit following a data breach cyberattack.
At least four other companies in the area have experienced significant data breaches this year.
RFK Racing, based in Concord, began notifying affected individuals on Sept. 12, four months after discovering the data breach, according to a lawsuit filed last week in U.S. District Court for the Middle District of North Carolina. More than 100 people could be part of the suit, according to the complaint.
The data breach discovered affected 13,632 people, including 2,899 North Carolina residents, according to the company’s security breach report sent to N.C. Attorney General Jeff Jackson’s office. The office shared the report Tuesday with The Charlotte Observer.
Information compromised includes driver’s licenses, medical information, and passport and Social Security numbers.
In its 38th season, RFK Racing is owned by Jack Roush, Brad Keselowski and Fenway Sports Group owner John Henry. Roush initially founded the professional racing team in 1988. RFK Racing’s drivers are Keselowski, Chris Buescher and Ryan Reece.
Claims against RFK Racing in data breach lawsuit
Lawyers for the plaintiff, former RFK Racing employee Wyatt Cowley of South Beloit, Illinois, are seeking to have the lawsuit certified as a class action.
Wyatt Cowley of South Beloit, Illinois, a former employee of RFK Racing, said in the lawsuit that the company failed to implement reasonable cybersecurity measures and did not promptly notify victims about the data breach.
“Individuals affected by the data breach are, and remain, at risk that their data will be sold or listed on the dark web and, ultimately, illegally used in the future,” the lawsuit stated.
Cowley has suffered financial losses, lost time, anxiety and emotional distress because of the data breach, according to the complaint.
“Victims of data breaches are susceptible to becoming victims of identity theft,” the lawsuit said. “Once private information is exposed, there is virtually no way to ensure that the information has been fully recovered or contained against future misuse.”
Cowley is represented by Morgan & Morgan Complex Litigation Group in Tampa, Florida, and Kopelowitz Ostrow in Fort Lauderdale, Florida.
RFK Racing officials did not respond to a request for comment from the Observer.
More details about the RFK Racing data breach lawsuit
RFK Racing detected suspicious, unauthorized activity on “certain systems” on May 14, according to the lawsuit and a company letter dated Sept. 12 to Cowley. A security notice also is posted on the company’s website.
The lawsuit claims RFK Racing did not follow industry standards, did not use encryption detection systems and failed to delete unnecessary data or limit access to sensitive information.
The breach exposed RFK Racing employees, former employees and others whose personal information was stored on RFK Racing’s systems, according to the lawsuit. This information is at risk for long-term issues such as identity theft, fraudulent tax filings, and the misuse of personal data on the dark web.
Cowley has received spam emails and text messages attempting to solicit payments from him, including an email notification that his private information was published on the dark web, according to the complaint.
RFK Racing’s data breach response
RFk Racing immediately launched an investigation after learning about suspicious activity on May 14 on certain systems, the company said in its breach notices. JFK Racing used a third-party forensic specialist to determine the nature and scope of the activity.
“We determined that certain files were accessed or taken without authorization,” RFK Racing said.
On Aug. 4, RFK Racing confirmed affected files included names, addresses, dates of birth and medical information, among other data, the letter said.
RFK Racing is providing 24 months of credit monitoring and identity protection services through TransUnion. The company also took steps to implement additional safeguards and review its policies and procedures related to privacy and security.
Other Charlotte-area companies facing lawsuits over data breaches
Four other Charlotte-area companies reported data breaches in the past half year, while facing potential class-action federal lawsuits following the cyberattacks.
Just last week, one case was dismissed by a federal judge who said former Bojangles employees failed to show their data was misused as a result of the breach. That case, filed by nine former Bojangles employees in U.S. District Court for the Western District of North Carolina, stemmed from a February 2024 cyberattack on the Charlotte-based fast-food chicken chain.
On June 26, Ahold Delhaize USA publicly disclosed a data breach affecting over 2.2 million people. Ahold’s subsidiaries, including Salisbury-based Food Lion, Giant, Hannaford, Stop & Shop, ADUSA Distribution and ADUSA Transportation, were affected by the security breach, according to the company.
Among the victims were 387,071 North Carolina residents. The company detected unauthorized third-party access to internal U.S. business systems on Nov. 6.
On June 16, Krispy Kreme began notifying over 160,000 people affected by a November data breach. More than a dozen lawsuits have been filed against the Charlotte-based doughnut giant.
And in May, Charlotte-based Belk department store was affected by a data breach, according to several lawsuits filed in federal court. All Belk department stores had a computer “system shutdown,” The Charlotte Observer reported on May 19.
Ransomware group DragonForce has claimed credit for the data breach. Belk has not publicly shared information about the system problems, and company officials have not responded to requests for comment about the breach.
This story was originally published October 7, 2025 at 12:15 PM with the headline "Major NASCAR race team is latest company hit with lawsuit following data breach."
