Submission + - ShinyHunters Published 45GB of Madison Square Garden Facial Recognition Records (thenextweb.com)
ArchieBunker writes: The cybercrime group ShinyHunters has published 45 gigabytes of data stolen from Madison Square Garden Entertainment after the company missed a June 15 ransom deadline. The dump includes facial recognition surveillance records, internal threat assessments, and personal information from what the hackers claim are 26 million customer and corporate records. A federal class action lawsuit was filed the following day.
The breach occurred on June 5, according to a ShinyHunters spokesperson who spoke to 404 Media. The data was published on June 16, days after the New York Knicks won the NBA Finals in five games against the Spurs, putting intense public attention on the arena and its owner, James Dolan.
What makes this breach unusual is the nature of the surveillance data it exposed. MSG has deployed facial recognition technology across its venues for years, using the system to screen visitors and, controversially, to ban lawyers from firms that have sued the company. The leaked files include biometric tracking logs, background check information, internal threat assessments, and what the class action complaint describes as detailed dossiers on attendees.
A sample reviewed by 404 Media contained files specifically referencing Knicks-related personalities, with fields including “address,” “claim to fame,” “cost of talent,” and direct contact information for individuals or their representatives. The data also included internal risk tags classifying celebrities: actor Ben Stiller was profiled as “low risk,” while rapper A Boogie wit da Hoodie was flagged as “high risk,” according to the class action filing. No documented criteria explaining the labels were included in the leaked files.
Customer emails were also part of the dump, including messages from fans who had expressed concern about being misidentified by MSG’s facial recognition cameras. The inclusion of this correspondence reveals that MSG was collecting and storing complaints about its own surveillance practices alongside the biometric data itself.
A class action lawsuit, Avalo v MSG Entertainment, was filed on June 16 in New York federal court. The plaintiff, Carlos Avalo, attended a concert at MSG in September 2025 and alleges his biometric data was captured by the venue’s entry systems. The lawsuit seeks at least $5 million in initial damages.
The complaint accuses MSG of corporate negligence in failing to secure the data it aggressively collects, despite clear warnings from privacy advocates and a previous breach.
This is MSG’s second major breach in under a year. In a separate incident disclosed in February 2026, the Cl0p ransomware group exploited a vulnerability in a vendor-hosted Oracle eBusiness Suite application used by MSG for payroll and human resources. That intrusion began in August 2025 but went undetected until December 16, 2025, and exposed the names, addresses, and Social Security numbers of roughly 131,070 individuals, primarily employees and contractors.
ShinyHunters has been on a sustained campaign in 2026, exploiting an unpatched Oracle PeopleSoft zero-day to breach more than 100 organisations, two-thirds of them universities. The group previously orchestrated the 2024 Snowflake supply chain attacks that compromised Ticketmaster and AT&T, and in March 2026 breached the European Commission, leaking 350 gigabytes of data from 42 internal clients.
The MSG attack follows the same playbook ShinyHunters used against Instructure’s Canvas learning management system in April, where the group claimed 3.65 terabytes of data from 275 million users across 9,000 schools. The pattern is consistent: identify a target sitting on large volumes of sensitive data, exfiltrate it, set a ransom deadline, and publish when the deadline passes.
MSG Entertainment has not publicly confirmed the scope of the breach or commented on the class action. The company’s facial recognition programme has faced scrutiny since at least 2022, when it drew attention for using the technology to bar attorneys from firms involved in litigation against the company. The New York attorney general investigated, and a state court initially ruled the policy violated anti-discrimination law, though an appeals court later reversed that decision.
The breach raises a question that extends beyond MSG: organisations that invest heavily in surveillance technology to monitor their visitors are creating precisely the kind of high-value data troves that groups like ShinyHunters target. The 26 million figure cited by the hackers has not been independently verified, and the full scope of the exposed biometric data remains unclear as the investigation continues.
The breach occurred on June 5, according to a ShinyHunters spokesperson who spoke to 404 Media. The data was published on June 16, days after the New York Knicks won the NBA Finals in five games against the Spurs, putting intense public attention on the arena and its owner, James Dolan.
What makes this breach unusual is the nature of the surveillance data it exposed. MSG has deployed facial recognition technology across its venues for years, using the system to screen visitors and, controversially, to ban lawyers from firms that have sued the company. The leaked files include biometric tracking logs, background check information, internal threat assessments, and what the class action complaint describes as detailed dossiers on attendees.
A sample reviewed by 404 Media contained files specifically referencing Knicks-related personalities, with fields including “address,” “claim to fame,” “cost of talent,” and direct contact information for individuals or their representatives. The data also included internal risk tags classifying celebrities: actor Ben Stiller was profiled as “low risk,” while rapper A Boogie wit da Hoodie was flagged as “high risk,” according to the class action filing. No documented criteria explaining the labels were included in the leaked files.
Customer emails were also part of the dump, including messages from fans who had expressed concern about being misidentified by MSG’s facial recognition cameras. The inclusion of this correspondence reveals that MSG was collecting and storing complaints about its own surveillance practices alongside the biometric data itself.
A class action lawsuit, Avalo v MSG Entertainment, was filed on June 16 in New York federal court. The plaintiff, Carlos Avalo, attended a concert at MSG in September 2025 and alleges his biometric data was captured by the venue’s entry systems. The lawsuit seeks at least $5 million in initial damages.
The complaint accuses MSG of corporate negligence in failing to secure the data it aggressively collects, despite clear warnings from privacy advocates and a previous breach.
This is MSG’s second major breach in under a year. In a separate incident disclosed in February 2026, the Cl0p ransomware group exploited a vulnerability in a vendor-hosted Oracle eBusiness Suite application used by MSG for payroll and human resources. That intrusion began in August 2025 but went undetected until December 16, 2025, and exposed the names, addresses, and Social Security numbers of roughly 131,070 individuals, primarily employees and contractors.
ShinyHunters has been on a sustained campaign in 2026, exploiting an unpatched Oracle PeopleSoft zero-day to breach more than 100 organisations, two-thirds of them universities. The group previously orchestrated the 2024 Snowflake supply chain attacks that compromised Ticketmaster and AT&T, and in March 2026 breached the European Commission, leaking 350 gigabytes of data from 42 internal clients.
The MSG attack follows the same playbook ShinyHunters used against Instructure’s Canvas learning management system in April, where the group claimed 3.65 terabytes of data from 275 million users across 9,000 schools. The pattern is consistent: identify a target sitting on large volumes of sensitive data, exfiltrate it, set a ransom deadline, and publish when the deadline passes.
MSG Entertainment has not publicly confirmed the scope of the breach or commented on the class action. The company’s facial recognition programme has faced scrutiny since at least 2022, when it drew attention for using the technology to bar attorneys from firms involved in litigation against the company. The New York attorney general investigated, and a state court initially ruled the policy violated anti-discrimination law, though an appeals court later reversed that decision.
The breach raises a question that extends beyond MSG: organisations that invest heavily in surveillance technology to monitor their visitors are creating precisely the kind of high-value data troves that groups like ShinyHunters target. The 26 million figure cited by the hackers has not been independently verified, and the full scope of the exposed biometric data remains unclear as the investigation continues.
