ShinyHunters released 45GB of data from Madison Square Garden, which features records from facial recognition surveillance.

      ShinyHunters leaked 45GB of data related to Madison Square Garden (MSG) after the company failed to meet a ransom deadline. This exposure encompasses facial recognition records and has resulted in a federal class action lawsuit. The cybercrime collective released 45 gigabytes of information stolen from MSG after a June 15 deadline was missed. The leaked data includes surveillance records from facial recognition, internal threat assessments, and personal details from what the hackers claim are 26 million customer and corporate records. A federal class action suit was filed the next day.

      According to a ShinyHunters spokesperson who discussed the incident with 404 Media, the breach took place on June 5. The data was made public on June 16, shortly after the New York Knicks secured their NBA Finals victory against the Spurs, drawing significant attention towards the arena and its owner, James Dolan.

      This breach stands out due to the type of surveillance data it revealed. MSG has used facial recognition technology at its venues for years, utilizing the system to screen attendees and, controversially, to prohibit lawyers from firms that have litigated against the company. The leaked data includes biometric tracking logs, background checks, internal threat assessments, and what the class action complaint refers to as detailed files on event attendees.

      A sample examined by 404 Media included files mentioning Knicks-related figures, with details such as “address,” “claim to fame,” “cost of talent,” and direct contact information for individuals or their representatives. The leaked information also contained internal risk classifications for celebrities: actor Ben Stiller was labeled as "low risk," while rapper A Boogie wit da Hoodie was marked as "high risk," according to the class action. The leaked files did not provide criteria for these classifications.

      The dump also featured customer emails, including communications from fans worried about being inaccurately identified by MSG’s facial recognition systems. This correspondence indicates that MSG was collecting and maintaining complaints regarding its surveillance practices alongside the biometric data.

      A class action lawsuit, titled Avalo v MSG Entertainment, was initiated on June 16 in a New York federal court. The plaintiff, Carlos Avalo, who attended a concert at MSG in September 2025, claims his biometric data was collected by the venue's entry systems. The legal action seeks at least $5 million in damages.

      The lawsuit alleges that MSG displayed corporate negligence by failing to protect the extensive data it collects, despite evident warnings from privacy advocates and a prior breach.

      This incident marks MSG's second significant breach in less than a year. A different event revealed in February 2026 involved the Cl0p ransomware group taking advantage of a flaw in an Oracle eBusiness Suite application managed by a vendor and used by MSG for payroll and HR. That breach, which began in August 2025 and was not detected until December 16, 2025, compromised the names, addresses, and Social Security numbers of around 131,070 individuals, mostly employees and contractors.

      In 2026, ShinyHunters has actively targeted over 100 organizations, including mainly universities, by exploiting an unpatched Oracle PeopleSoft vulnerability. This group was also responsible for the 2024 Snowflake supply chain attacks that affected Ticketmaster and AT&T, and in March 2026, they breached the European Commission, leading to a leak of 350 gigabytes of data from 42 internal clients.

      The approach taken in the MSG attack mirrors ShinyHunters' method used against Instructure’s Canvas learning management system in April, where the group claimed to have accessed 3.65 terabytes of data from 275 million users across 9,000 educational institutions. This pattern consistently involves identifying a target with large amounts of sensitive data, exfiltrating it, setting a ransom deadline, and leaking the data once the deadline expires.

      MSG Entertainment has not officially confirmed the breach's extent or commented on the lawsuit. The company’s facial recognition system has attracted criticism since at least 2022 for utilizing the technology to exclude attorneys from litigating against it. The New York attorney general conducted an investigation, and while a state court ruled that the policy violated anti-discrimination laws, an appeals court later overturned that ruling.

      The breach raises broader questions regarding organizations that heavily invest in surveillance technologies to monitor visitors, as they create valuable data collections that groups like ShinyHunters are likely to target. The hackers' claim of 26 million records has not been independently verified, and the complete scope of the exposed biometric data is still unclear as investigations are ongoing.