In the days before the Knicks won the N.B.A. finals, sending New York City into a rapture, a hacking group was quietly working to steal data from Madison Square Garden, including the records of celebrities and other customer information, according to three class-action lawsuits filed against the companies that own the arena and sports teams.
ShinyHunters, a hacking group, claimed responsibility for the attack and announced on June 12 that if it did not receive a ransom from the Garden, more than 26 million records would be leaked.
On June 16, ShinyHunters sent a new message: “It’s very simple. When you pay us, your data is deleted, and you move on with your life. When you don’t pay us, you get posted here, among other things.”
That same day, the hackers published the records after announcing that Madison Square Garden had “failed to reach an agreement with us,” according to the lawsuits, which were filed last week in the Southern District of New York. The data in this breach, which included internal emails, celebrity contacts and other corporate information, was most likely stolen with the intent to embarrass Madison Square Garden and force a payout, said Josephine Wolff, a professor of cybersecurity policy at Tufts University.
Hackers have recognized that there is “big money” in threatening to “humiliate” a target and “air their dirty laundry” if a ransom isn’t paid, Dr. Wolff said. It is often more lucrative than taking personal information that can be sold to commit fraud. At present, there is not enough demand for buying such data in illegal forums, which often appear on the dark web, Dr. Wolff said.
Madison Square Garden Entertainment and Madison Square Garden Sports Corporation, the targets of the lawsuits, declined comment.
The recent data breach represents a lower risk to customers than something like a credit card breach, Dr. Wolff said.
Even so, if someone were to find the information, it would be reasonable to question what would be done with it, she added.
An independent analysis by the website DataBreach, which helps people check if their data has been compromised, found that nearly 9.8 million emails were leaked in the Madison Square Garden attack along with more than 9,500 dates of birth and nearly five million street addresses. Other information, such as full names and phone numbers of customers, was also stolen.
Maximilien Perez, a data engineer for DataBreach who examined the leaked data, said that the data was divided into two groups: nearly 11 million rows of consumer information, in which Mr. Perez found his own information (he attended Game 1 of the Eastern Conference semifinals on May 4 at Madison Square Garden); and nearly 44,000 rows that referred to “talent,” such as celebrities.
The first of the class-action lawsuits was filed on behalf of Carlos Avalos, 34, from Nassau County, N.Y., who attended a Dua Lipa concert at the arena in September.
The complaint does not specify what personal information of Mr. Avalos’s may have been leaked.
404 Media, an online news publication, was the first to report on the data breach after reviewing a sample of the files obtained by ShinyHunters. The sample contained information about family members of Madison Square Garden executives, former Knicks players and head coaches, and celebrities — data such as “cost of talent” and contact information.
It also included data relating to the actor and director Ben Stiller. The Garden’s internal “threat assessment” labeled Mr. Stiller as “low risk” while the rapper A Boogie Wit da Hoodie was listed as “high risk,” 404 Media reported. It’s unclear what the labels meant in this context. Mr. Perez, at DataBreach, said that the risk assessments appeared only in the file called “MSG sports talent.”
The data breach also contained emails, including one from a man concerned about possibly being flagged by the Garden’s facial recognition systems, according to 404 Media. The Garden began scanning the faces of customers when it hosted the Grammy Awards in 2018. Its parent company, Madison Square Garden Entertainment, has said that it uses the technology to identify people who could be security threats, but its use of biometric surveillance has been sharply scrutinized.
“Knicks and Rangers fans and concertgoers do not shed their privacy rights at M.S.G.’s gates, and our case seeks to hold them accountable after a long history of regarding consumer privacy as a nonissue,” Blake Hunter Yagman, Mr. Avalos’s lawyer, said in an email.
The class-action lawsuits are seeking monetary compensation, including the payment of legal fees, and changes to the consumer privacy rules of the Madison Square Garden-affiliated companies.
Other data breaches have affected Madison Square Garden, including a 2025 attack by the hacking organization Cl0p, which exposed the Social Security numbers of former and current employees.
ShinyHunters, the hacking group, is believed to have been formed in about 2020 and has often engaged in cyber extortion. In May, the maker of Canvas, a software used by thousands of schools, said that it had reached a deal with the hackers to return stolen data and destroy any copies. The company did not say what it had given the hackers in exchange.
In June, Representative Laura Friedman, a Democrat from California, was among a group of politicians who called on the Justice Department and the Education Department to investigate the May cyberattack, which involved a subsidiary of Canvas, and prosecute those responsible.
In 2024, ShinyHunters attacked Ticketmaster, saying that it had stolen the information of more than 500 million customers.
Wirecutter, which is owned by The New York Times, advises people whose information may have been compromised to immediately change their passwords, enable two-factor authentication and contact each credit bureau to freeze their credit, which will help prevent new accounts or loans from being opened in your name.
Kitty Bennett contributed research.
The post Customers Sue Madison Square Garden Over Hacking of 26 Million Records appeared first on New York Times.
