Madison Square Garden, one of the world’s most famous sports and entertainment venues, suffered a huge data breach. Hackers linked to the group called ShinyHunters stole and published 45 gigabytes of sensitive data. This happened after MSG missed a ransom deadline set by the group on June 15, 2026.

The leaked data is staggering. It reportedly includes biometric facial recognition records, internal risk profiles of celebrities, customer emails, and logs tracking millions of visitors. The hackers claim the data covers information on up to 26 million people. This breach raises serious concerns about digital privacy and security at high-profile venues.

Inside the Data Dump

The stolen files reveal that MSG has used facial recognition technology extensively at its venues. The system wasn’t just for security. It was also used to profile visitors, track their movements, and even ban certain people. For example, lawyers from firms suing MSG were reportedly barred entry based on this surveillance.

Among the leaked documents are detailed profiles on celebrities and VIPs. The files include home addresses, fees paid for appearances, and internal threat levels. Actor Ben Stiller was marked as “low risk,” while rapper A Boogie wit da Hoodie was flagged as “high risk.” The criteria behind these labels remain unknown. Alongside this, customer emails reveal fans’ worries about being misidentified by facial recognition cameras.

A Pattern of Cybersecurity Failures

This is not MSG’s first major breach. Just months earlier, in February 2026, another hacking group called Cl0p broke into MSG’s payroll and human resources systems. They exploited a vulnerability in an Oracle application used by MSG and gained access to sensitive employee information, including Social Security numbers. That breach affected over 130,000 individuals.

These incidents expose a deeper problem. MSG collects vast amounts of sensitive data but has failed to secure it properly. The company faces criticism for ignoring repeated warnings about its digital defenses. Experts say this pattern puts millions of visitors and employees at risk of identity theft and fraud.

The recent breach also highlights the risks of deploying aggressive surveillance technology. Facial recognition data is permanent and cannot be changed like a password. If stolen, it exposes people to long-term dangers. Unlike credit card numbers, biometric data theft can have serious consequences that last a lifetime.

Legal Fallout and What It Means for Fans

Following the leak, a class action lawsuit was filed against MSG. The suit claims that the company was negligent in protecting customer and visitor data. The lead plaintiff attended an MSG event in 2025 and alleges that his biometric data was unlawfully collected and exposed.

The lawsuit demands at least $5 million in damages and calls for MSG to overhaul its cybersecurity practices. It aims to represent millions of affected fans, visitors, employees, and contractors. Anyone who attended an event at MSG or had their data stored in its systems could be part of this legal action.

Meanwhile, fans and ticket holders face immediate risks. The leaked data is already circulating on the dark web, making identity theft and phishing attacks more likely. Experts recommend freezing credit reports, enabling multi-factor authentication, and being cautious of suspicious emails claiming to be from MSG or its affiliates.

MSG has not yet issued a public statement addressing the breach. The silence adds to concerns about how the company plans to protect affected individuals. Regulators and security firms are expected to scrutinize MSG’s data policies closely in the coming months.

For now, this breach serves as a warning. High-profile venues collecting biometric data must take stronger security measures. Otherwise, they risk exposing their visitors to serious privacy violations and legal consequences.