Subscribe To Our Newsletter
Subscribe To Our Newsletter
Madison Square Garden Entertainment Corp. has been hit with a major proposed class action lawsuit (Avalo v. MSG Entertainment) in New York federal court following a massive data breach. The cybercrime group ShinyHunters successfully exfiltrated and published 45 gigabytes of internal files after the company missed a June 15, 2026, ransom deadline. The leak allegedly compromises the private information and biometric surveillance records of up to 26 million people.
The lawsuit, Avalo v. Madison Square Garden Entertainment Corp., was filed on Tuesday, June 16, 2026, in a New York federal court. It accuses MSG Entertainment of corporate negligence and failing to implement reasonable data security measures to protect the millions of fans, concertgoers, and visitors who pass through Manhattan’s most famous sports arena. The legal action follows a strict June 15 ransom deadline set by the ShinyHunters extortion group, which published the entire stolen data cache online after MSG Entertainment refused to pay.
For everyday people who have attended events at Madison Square Garden, the data dump has triggered immediate privacy and security concerns. Consumer advocates argue that while MSG Entertainment has invested heavily in state-of-the-art surveillance tech to police its arenas, it has fundamentally failed its basic duty to secure the vast digital databases containing the public’s personal information. This class action aims to hold the multi-billion-dollar entertainment empire accountable and ensure impacted consumers don’t stand alone.
The Madison Square Garden data breach is uniquely alarming because of the specific types of surveillance and biometric records the company collects. Under the direction of owner James Dolan, MSG venues have famously deployed advanced, controversial facial-recognition software and internal monitoring systems designed to screen, track, and occasionally bar certain visitors from entering the premises.
According to the legal complaint, the ShinyHunters hacking network successfully infiltrated these back-end surveillance databases. The cybercriminals claimed to have harvested a massive wealth of data, including biometric facial recognition tracking logs, background check information, internal threat assessments, credit scores, and Social Security numbers.
The leaked files have revealed that MSG Entertainment was maintaining incredibly detailed internal dossiers on attendees. The published 45-gigabyte dump included internal “Talent” files that quietly categorized high-profile venue visitors with specific risk tags. For example, leaked records showed that actor Ben Stiller was profiled as “low risk,” while rapper A Boogie wit da Hoodie was flagged as “high risk,” with zero documented criteria explaining the labels. The data dump also contained home addresses, appearance fees, and direct customer email correspondences, including messages from fans explicitly worried about being misidentified by the arena’s facial recognition cameras.
What has intensified frustration among consumer advocates and legal professionals is that this massive June 2026 event represents MSG Entertainment’s second major network compromise within a year. The lawsuit contends that the company maintained a “tempestuous history with respect to data privacy” and ignored obvious vulnerabilities in its corporate infrastructure.
Just months prior, in February 2026, official regulatory filings revealed that MSG Entertainment had fallen victim to a separate cyberattack orchestrated by the Clop (Cl0p) ransomware group. In that previous event, hackers exploited a critical vulnerability in a vendor-hosted Oracle eBusiness Suite application utilized by MSG to manage payroll, tax, and human resources data. That initial intrusion began in August 2025 but went completely unnoticed by MSG corporate teams until December 16, 2025.
The earlier Oracle software breach definitively exposed the full names, home addresses, and Social Security numbers of roughly 131,070 individuals, primarily consisting of MSG’s extensive workforce, independent contractors, stagehands, and corporate vendor partners. The fact that a completely separate cybercrime group has now successfully breached consumer-facing ticketing and surveillance databases less than a year later suggests a systemic failure in MSG’s digital defense protocols.
The newly filed federal complaint contains two primary legal counts centered on corporate negligence. The lawsuit argues that despite clear warnings from privacy advocates, ongoing legislative scrutiny in New York, and a previous major data breach, MSG Entertainment continued to aggressively collect and store deeply sensitive personal data without establishing the proper digital safeguards to handle it.
The plaintiff driving the case, Carlos Avalo, attended a concert at Madison Square Garden in September 2025, during which his personal identifying information and biometric data were captured by the venue’s entry systems. Avalo states he reasonably believes his information was compromised in the ShinyHunters dump and is gravely concerned about how his permanent biometric data could be misused by bad actors online.
Because the data breach impacts an immense number of event attendees, the lawsuit seeks to represent a class composed of millions of affected consumers. The complaint formally seeks at least $5 million in initial damages, though class counsel notes the final figure will likely scale much higher. The legal action demands full restitution, compensatory and actual damages for affected consumers, and a court order forcing MSG Entertainment to completely overhaul its cybersecurity and data retention practices.
If you have attended a sporting event, concert, or live performance at Madison Square Garden, you may be eligible to participate in this legal action. The proposed class action lawsuit looks to protect and represent millions of everyday consumers who fit the following criteria:
General Event Attendees: Anyone who purchased tickets, attended an event, or entered Madison Square Garden between 2018 and June 2026, whose personal email communications, account details, or transactional information were stored in MSG Sports or Ticketmaster-connected systems.
Surveillance and Portal Users: Any visitor whose physical likeness, biometric data, or background information was captured by the arena’s facial-recognition software and internal risk-assessment tracking databases.
Workforce and Vendors: Any current or former employee, stagehand, or independent contractor who provided services to an MSG venue and was separately impacted by the corporate Oracle database breach.
When a major class action lawsuit is launched, there is no immediate fee or manual sign-up required for everyday citizens to be included. If the federal court certifies the case and a financial settlement or verdict is achieved, all individuals meeting the geographic and temporal criteria will automatically be considered part of the class and will receive a formal notice detailing how to claim their portion of the restitution fund.
Because the 45 gigabytes of stolen MSG files have already been actively published onto the dark web, affected consumers face immediate and ongoing identity theft risks. Unlike a credit card number, biometric facial templates and Social Security numbers cannot be easily changed, making long-term vigilance absolutely vital.
If you suspect your information was exposed in either of the recent Madison Square Garden security incidents, consumer advocates recommend taking the following immediate protective steps:
Initiate a Free Credit Freeze: Contact the three primary credit bureaus (Experian, Equifax, and TransUnion) to freeze your credit files. This completely blocks unauthorized individuals from opening fraudulent loans or lines of credit in your name.
Watch out for Hyper-Targeted Phishing: Because hackers leaked real customer service emails and fan profiles, scammers can craft highly sophisticated phishing emails or text messages. Be deeply suspicious of any communication claiming to be from MSG Support, the New York Knicks, or Ticketmaster that asks you to click a link or “verify” your password.
Enable Strong Account Safeguards: Update your passwords across all entertainment and ticketing platforms, and turn on app-based multi-factor authentication (MFA) to prevent credential abuse.
New cases and investigations, settlement deadlines, and news straight to your inbox.
