Hackers Published Madison Square Garden and Knicks Data Online. Here’s What Fans and Visitors Should Know.

As the largest arena in Manhattan, Madison Square Garden is meant to be where people go to watch big shows and iconic sports moments. Now, according to recent reporting, the real spectacle may be what was happening behind the scenes with people’s data.

Hackers have reportedly published data stolen from Madison Square Garden online, including files connected to the New York Knicks, customer communications, internal records, and information that appears to involve high-profile visitors, former players, coaches, and celebrities. The leak has already drawn attention because of some of its stranger details, including internal “risk” labels reportedly assigned to certain celebrities and public figures (Ben Stiller labeled as "Low Risk" and rapper A Boogie wit da Hoodie as "High Risk").

But underneath the absurdity is something much more serious. If the reports and allegations are accurate, this breach may have exposed sensitive information belonging not only to public figures, but also to fans, eventgoers, customers, employees, and others whose information may have been collected or stored by Madison Square Garden-related entities.

For anyone who has attended a Knicks game, Rangers game, concert, comedy show, or other event at Madison Square Garden, this raises a troubling question: What information did MSG collect, why was it kept, and how did hackers allegedly get access to it?

What Reportedly Happened?

According to recent reporting, a hacking group known as ShinyHunters claimed responsibility for accessing data tied to Madison Square Garden Sports, the company associated with the New York Knicks and New York Rangers. The group reportedly claimed it obtained more than 26 million customer and corporate records.

Days later, hackers reportedly published Madison Square Garden-related data online after an alleged ransom deadline passed. Reports indicate the leaked data included customer emails, internal files, and records involving Knicks-related personalities, former players and coaches, and celebrities. Some files reportedly included information such as addresses, contact information, “claim to fame,” talent costs, and internal risk classifications.

A proposed class action lawsuit has now reportedly been filed against Madison Square Garden Entertainment, alleging that hackers accessed sensitive visitor information collected through MSG’s surveillance and facial-recognition systems. The lawsuit reportedly claims that data from up to 26 million people may have been involved.

At this stage, the full scope of the breach is still unfolding. But the allegations are serious enough that anyone who may have interacted with Madison Square Garden as a customer, visitor, employee, contractor, vendor, performer, or guest should pay attention.

Why This Breach Is Especially Alarming

Many data breaches involve information such as names, emails, passwords, payment details, or Social Security numbers. Those are serious enough on their own. But this reported breach appears to raise an additional concern: the possibility that surveillance-related data, visitor profiles, internal risk assessments, or biometric information may have been exposed.

That matters because biometric data is not like a password. You can change a password. You can replace a credit card. You can freeze your credit. But you cannot change your face.

If a company collects facial-recognition data, visitor-screening records, background information, internal notes, or threat assessments, it has a heightened responsibility to protect that data. People who attend an arena for a basketball game or concert generally do not expect their personal information to become part of an internal dossier, much less one that could later be published online by hackers.

The lawsuit reportedly alleges that Madison Square Garden has continued to collect biometric information from visitors despite years of criticism from privacy advocates, legislators, and others. That history could become central to the legal questions surrounding this breach. If a company chooses to collect unusually sensitive information, it may also be expected to maintain unusually strong safeguards.

What Information May Have Been Exposed?

The full list of exposed information has not been confirmed publicly in one complete, official disclosure. 

However, based on current reporting and lawsuit allegations, the data may include some combination of the following:

• Names
• Addresses
• Email addresses
• Customer communications
• Internal MSG records
• Corporate documents
• Information connected to former players and coaches
• Records involving public figures or celebrities
• Internal risk classifications
• Contact information for representatives
• Sensitive personal or business data

The proposed lawsuit also reportedly alleges that the compromised data may include facial-recognition information, background check information, credit scores, Social Security numbers, and other personal identifiers.

If those allegations are accurate, this could be far more than an embarrassing corporate leak. It could be a major privacy event involving information that can be used for identity theft, targeted scams, financial fraud, reputational harm, stalking, harassment, or further social engineering attacks.

Fans and Visitors May Not Know They Were Being Tracked

One of the most disturbing parts of this story is that many affected people may have had no meaningful idea that their information was being collected in the first place.

A person may buy a ticket, walk through security, attend a concert, cheer for the Knicks, or send an email to customer service without realizing that their data could be stored in internal systems. If facial-recognition tools or visitor-screening systems were involved, many ordinary eventgoers may not have understood the scope of what was collected, how long it was retained, or who could access it.

That lack of transparency is important. Companies that collect sensitive information should clearly explain what they collect, how it is used, how long it is kept, and how it is protected. When that information is later exposed, people deserve more than vague reassurances. They deserve answers.

What Should You Do if You May Have Been Affected?

If you attended an event at Madison Square Garden, communicated with MSG, worked for an MSG-related entity, performed at the venue, appeared on internal guest or talent lists, or received any notice related to the breach, there are steps you can take now.

Start by watching for official notices. Companies often send data breach letters by mail or email, but they may arrive weeks or months after the breach becomes public. Read any notice carefully and look for what information was involved, when the breach happened, whether your data was accessed or acquired, and what protective services are being offered.

You should also monitor your financial accounts, credit reports, and online accounts for suspicious activity. If Social Security numbers or financial identifiers were involved, consider placing a fraud alert or credit freeze with the major credit bureaus. A credit freeze can make it harder for someone to open new accounts in your name.

Be especially cautious about phishing attempts. After major breaches, scammers may use leaked information to make emails, calls, or text messages sound more believable. They may pretend to be from MSG, a ticketing company, a bank, a credit bureau, or even a law firm. Do not click suspicious links or provide personal information unless you have verified the source.

If you believe your biometric information, identity documents, Social Security number, financial information, or other sensitive data was exposed, keep records of any notices, suspicious account activity, credit monitoring alerts, expenses, time spent addressing the breach, and emotional distress connected to the incident. Those records may matter if legal claims move forward.

Can You Sue After a Data Breach?

A data breach does not automatically mean every affected person has a lawsuit. But companies can potentially be held accountable when they fail to use reasonable security measures, collect more data than necessary, store sensitive information carelessly, delay notifying affected people, or expose consumers to identity theft and fraud.

In cases involving biometric data, the legal stakes can be even higher. Depending on the facts and the laws that apply, people may have claims related to negligence, invasion of privacy, consumer protection violations, breach of implied contract, unjust enrichment, or violations of biometric privacy laws.

The central issue is whether Madison Square Garden and related entities did enough to protect the information they collected. If the company gathered sensitive visitor data, internal profiles, surveillance records, or biometric identifiers, it may have had a duty to secure that information from unauthorized access.

Morgan & Morgan Is Investigating Data Breach Claims

No one should have to worry that attending a game, concert, or public event could lead to their personal information being leaked online. Companies that collect sensitive data must be held to a high standard, especially when that data may include financial identifiers, surveillance records, or biometric information.

If you received a notice related to the Madison Square Garden data breach, believe your information may have been exposed, or experienced identity theft, fraud, suspicious account activity, or other harm after the breach, Morgan & Morgan may be able to help.

Our data breach attorneys fight for people whose private information was exposed because companies failed to protect it. Contact Morgan & Morgan today to learn more about your legal options. Hiring one os our lawyers is easy, and you can get started in minutes with a free, no-obligation case evaluation.