MSG Entertainment Hit with Lawsuit Over Undisclosed Data Breach Exposing Biometric and Personal Data
Madison Square Garden Entertainment (MSG Entertainment), the operator of New York’s iconic Madison Square Garden, is facing a federal lawsuit in New York over its failure to notify affected individuals of a data breach. The incident, disclosed by the cybercrime group ShinyHunters less than 48 hours after the New York Knicks’ NBA Finals victory on June 16, involved the theft and subsequent leak of sensitive data including biometric records, facial recognition data, credit scores, and Social Security numbers.
The breach occurred on June 17, but MSG Entertainment allegedly did not inform impacted individuals, prompting plaintiff Carlos Avalo who attended a concert at MSG in September 2025 to file the lawsuit. Avalo claims his personal data was collected during the event and is now "gravely concerned" it was exposed in the breach. The complaint highlights MSG Entertainment’s history of controversial data collection practices, including the use of facial recognition to categorize attendees by perceived risk (e.g., labeling rapper A Boogie wit da Hoodie as "high risk" while actor Ben Stiller was deemed "low risk").
While MSG Entertainment and Madison Square Garden Sports (the separate entity owning the Knicks and Rangers) are distinct companies, both are led by CEO James Dolan. The lawsuit targets MSG Entertainment for its alleged inadequate response, accusing the company of failing to address the breach transparently or mitigate the fallout. As of now, neither Dolan nor MSG Entertainment has publicly commented on the incident or negotiations with the hackers.
The breach underscores growing concerns over the security of biometric data and corporate accountability in the wake of cyberattacks. With no official statement from MSG Entertainment, the legal and reputational consequences remain unresolved.
Madison Square Garden Entertainment TPRM report: https://www.rankiteo.com/company/msg-entertainment
Madison Square Garden Sports TPRM report: https://www.rankiteo.com/company/msg-entertainment
"id": "msg1781779224",
"linkid": "msg-entertainment",
"type": "Breach",
"date": "6/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Attendees of events at Madison '
'Square Garden (e.g., concerts, '
'sports events)',
'industry': 'Entertainment, Sports Venues',
'location': 'New York, USA',
'name': 'Madison Square Garden Entertainment (MSG '
'Entertainment)',
'type': 'Corporation'}],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Biometric records',
'Facial recognition data',
'Credit scores',
'Social Security numbers']},
'date_detected': '2025-06-17',
'date_publicly_disclosed': '2025-06-18',
'description': 'Madison Square Garden Entertainment (MSG Entertainment) is '
'facing a federal lawsuit in New York over its failure to '
'notify affected individuals of a data breach. The incident '
'involved the theft and subsequent leak of sensitive data '
'including biometric records, facial recognition data, credit '
'scores, and Social Security numbers by the cybercrime group '
'*ShinyHunters*. The breach occurred on June 17, but MSG '
'Entertainment allegedly did not inform impacted individuals, '
'prompting a lawsuit from plaintiff Carlos Avalo.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Biometric records, facial recognition data, '
'credit scores, Social Security numbers',
'identity_theft_risk': 'High',
'legal_liabilities': 'Federal lawsuit filed'},
'investigation_status': 'Ongoing',
'references': [{'source': 'Cyber incident report'}],
'regulatory_compliance': {'legal_actions': 'Federal lawsuit filed in New '
'York'},
'response': {'communication_strategy': 'No official statement or public '
'disclosure to affected individuals'},
'threat_actor': 'ShinyHunters',
'title': 'MSG Entertainment Hit with Lawsuit Over Undisclosed Data Breach '
'Exposing Biometric and Personal Data',
'type': 'Data Breach'}