Exposed data includes: 

• Customer records
• Internal emails 
• Celebrity contacts 
• Corporate data 

A June 23 report from the New York Times reveals multiple class action lawsuits have already been filed against the company. 

Security Leaders Weigh In

Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace:

The reported Madison Square Garden incident should be viewed in the context of a much wider pattern of cyber risk across professional sport. Our recent research found that 84% of professional sports organizations experienced a cyber incident in the past 12 months, and 57% were hit more than once. That tells us this is not an isolated issue for a single team, venue, or league.

Sports organizations are attractive targets because they combine valuable data, high-profile individuals, complex vendor relationships, and digital systems that are expected to work under intense public pressure. A breach does not need to disrupt a game to cause damage. Exposed data, compromised executive accounts, or trusted communications used for fraud can quickly create financial and reputational consequences. As sport becomes more digital and connected, cybersecurity needs to be treated as a business priority. Organizations need visibility and control across the systems, identities, data, and partners that keep the business running.

Matthieu Chan Tsin, Senior Vice President, Resiliency Services at Cowbell:

The latest cyber event involving Madison Square Garden must be used as a reminder that even companies with large budgets are not immune to cyber-attacks. By refusing to pay a ransom, MSG took a valiant stand, however, may now be liable to incur a different type of damage.

Shane Barney, Chief Information Security Officer at Keeper Security:

ShinyHunters has demonstrated repeatedly that the most valuable data in an organization is rarely the data an organization thinks to protect most carefully. Ticketing systems, customer support platforms and internal operational databases are not typically where security investment is concentrated, but they are where years of customer correspondence, internal profiles and sensitive business information quietly accumulate. That is the gap this group consistently finds and exploits.

The question worth asking after an incident like this is not just how the attacker got in, but what they were able to reach once inside. Operational systems that are governed as administrative infrastructure rather than as high-value targets often lack the access controls that more obviously sensitive environments receive. When access is not scoped to least privilege, monitored for anomalous behavior or time-limited, the blast radius of any compromise expands well beyond what the initial foothold would suggest. Centralizing access governance, enforcing least privilege across every system that touches customer or employee data and building in continuous monitoring are the controls that close that gap. For organizations watching this unfold, the more pressing question is whether they would have detected a similar exfiltration before the attacker announced it publicly. If the answer is uncertain, that is the gap worth addressing first.

Anyone who has purchased tickets, contacted MSG customer support or attended events at MSG venues in recent years should assume their contact information may be among the exposed data. That means being alert to phishing emails and text messages that appear to reference your MSG account or recent purchases, particularly any that ask you to click a link, verify payment information or reset a password. Using a password manager to ensure your MSG account credentials are unique and not reused across other sites limits your exposure significantly. Enabling multi-factor authentication wherever it is available adds another layer of protection. If you receive any communication that references personal details you did not expect a sender to know, treat it with caution and verify through official channels before taking any action.