Madison Square Garden Investigated for Data Breach
Madison Square Garden Entertainment Corp. is being investigated by a national class action law firm over a recently discovered data breach. The investigation into the incident at the iconic venue operator puts a spotlight on data privacy and security for live event companies.
The recent data breach at Madison Square Garden Entertainment is linked to a critical vulnerability in Oracle's eBusiness Suite, a widely used enterprise resource planning software. This specific flaw, identified as CVE-2025-61882, carries a severity score of 9.8 out of 10 and allows for unauthenticated remote exploitation, meaning attackers can gain access without needing login credentials. The vulnerability was actively exploited in the wild, with some attacks leading to ransomware campaigns. Hackers first gained access to MSG's data in August 2025, though the company only learned of the breach on or about December 16, 2025. The compromised information includes sensitive personal data such as names, addresses, and Social Security numbers. The ransomware group Clop has reportedly taken credit for the attack, having exploited the same Oracle zero-day vulnerability to target hundreds of other organizations. This incident is not the first data security issue for the company. Between 2015 and 2016, MSG's payment processing system was breached, exposing credit card numbers, cardholder names, and expiration dates for customers who purchased merchandise or food at several of its venues. That earlier attack involved malware that scraped data as it was being routed for authorization. The breach investigation places a renewed focus on MSG's broader data collection practices, which have drawn significant controversy. The company has faced multiple lawsuits and criticism from New York lawmakers over its use of facial recognition technology to identify and deny entry to attorneys from firms involved in litigation against it. A former vice president of security at MSG filed a lawsuit in September 2025, alleging he was directed to conduct "overreaching surveillance" on guests and employees. The lawsuit claims that the company lacks proper protocols for securely storing the sensitive personal information it collects, including photographs and financial details. Venues like Madison Square Garden increasingly leverage location and biometric data to manage crowd flow, enhance security, and send targeted marketing offers to fans' mobile devices. This can include everything from real-time alerts about the shortest concession lines to personalized merchandise discounts based on a fan's location within the arena. The collection of such detailed customer data, however, heightens the stakes of any security failure.
