MSG Entertainment Probed Over Data Breach

The incident originated in August 2025 when hackers exploited a zero-day vulnerability in Oracle's E-Business Suite software, which was managed by a third-party vendor for MSG. The company became aware that an unauthorized person had gained access to application data on approximately December 16, 2025. Personal information, potentially including names, addresses, and Social Security numbers, may have been compromised. The ransomware group known as Clop (or Cl0p) claimed responsibility for the attack in November 2025, listing Madison Square Garden on its data leak website. This group was responsible for 456 ransomware attacks in 2025, with confirmed data breaches from 31 of those organizations, compromising around 3.75 million personal records. Other victims of the same Oracle zero-day exploit include Harvard University and Dartmouth College. This is not the first data security issue for the entertainment giant. In 2016, MSG revealed that malware had been capturing payment card data from its processing systems for nearly a year. That breach, running from November 2015 to October 2016, affected customers who purchased merchandise or food and beverages at venues including Madison Square Garden, Radio City Music Hall, and the Beacon Theater. The company's data handling practices have faced other criticisms. MSG Entertainment has been sued over its use of facial recognition technology to identify and eject individuals, including attorneys from firms involved in litigation against the company, from its venues. Lawmakers have expressed concerns about the technology's potential to chill free speech and its proven inaccuracies. In response to the most recent breach, MSG is offering one year of free credit monitoring through TransUnion to those affected. The law firm Edelson Lechtzin LLP is now investigating a potential class-action lawsuit to seek legal remedies for individuals whose data may have been compromised.