Madison Square Garden Sports Corp.

ShinyHunters claimed a breach of Madison Square Garden Sports Corp., exposing over 26 million records. MSG Sports operates Madison Square Garden (home of the Knicks and Rangers), Radio City Music Hall, the Beacon Theatre, and other iconic New York venues.

The breach exposed customer PII, ticket purchase data, and internal corporate information. For a company that has hosted millions of event attendees over decades, this represents a massive exposure of entertainment consumer data.

Customer personal information for ticket buyers and event attendees. Purchase histories showing what events people attended, when, and how much they paid. Payment information used for ticket transactions. Internal corporate data about operations.

26+ million records represents decades of event attendance. Every Knicks game, Rangers match, concert, and show. MSG sells millions of tickets annually—and has been doing so since before most digital ticketing systems existed. That's a lot of accumulated customer data.

Sports fans and concert-goers whose ticket purchases reveal their entertainment preferences, spending patterns, and physical attendance at specific events. Season ticket holders whose long-term relationships with MSG are now documented in leaked files. Premium seat buyers whose spending indicates income levels.

Event attendance data is surprisingly revealing. Where you were on a specific date, who you might have been with, what you're willing to spend on entertainment. For public figures or executives, attendance records could be embarrassing or compromising.

Entertainment companies invest in customer experience and loyalty programs. MSG offers premium experiences, season ticket programs, and personalized marketing. Customer data management is core to these operations.

But entertainment ticketing involves complex data flows: ticket platforms, payment processors, venue systems, marketing tools, loyalty programs. Each integration point creates potential exposure. MSG also made headlines previously for using facial recognition to ban certain visitors—demonstrating they collect more data than typical ticketing.

26 million records suggests historical depth spanning years or decades of ticketing operations. System migrations, platform changes, acquisition of venues—each transition likely retained data from previous systems. Old ticketing databases, legacy CRM exports, historical purchase records.

Do you need ticket purchase records from 2008? Customer contact information from attendees who haven't returned in a decade? The breach scope reflects accumulated data that outlived its business purpose but remained accessible.

26 million records means notification across states where attendees reside—effectively nationwide for an iconic New York venue that draws visitors globally. Payment information exposure may trigger PCI DSS implications. State attorneys general may take interest in a breach of this scale.

The brand impact matters too. "The World's Most Famous Arena" is now associated with one of 2026's largest entertainment industry breaches. Reputational recovery takes longer than technical remediation.