Customers Sue Madison Square Garden Over the Hacking of 26 Million Records

By the Editorial Team · Wednesday, June 24, 2026

Over 26 million Madison Square Garden customers have filed class-action lawsuits following a ransomware attack by the hacking group ShinyHunters that exposed sensitive corporate data and personal information. The breach underscores growing concerns over corporate privacy practices and has prompted calls for stronger security measures and regulatory scrutiny.

A group of Madison Square Garden customers has filed class-action lawsuits following a major data breach that compromised the personal information of more than 26 million individuals, according to court filings in the Southern District of New York. The attack occurred in the weeks leading up to the New York Knicks’ NBA finals victory and involved the theft of internal communications, celebrity contacts, and other sensitive corporate data.

The hacking group ShinyHunters claimed responsibility for the breach, announcing on June 12 that they demanded a ransom to prevent the release of the stolen information. When Madison Square Garden did not comply, ShinyHunters published the data on June 16, stating the organization had “failed to reach an agreement with us.” The breach reportedly targeted Madison Square Garden Entertainment and Madison Square Garden Sports Corporation, the owners of the arena and various sports franchises.

Experts suggest the attack was intended more to pressure Madison Square Garden into paying a ransom through public embarrassment rather than to facilitate traditional financial fraud. Josephine Wolff, a cybersecurity policy professor at Tufts University, noted that hackers increasingly seek to leverage the threat of exposing private communications and corporate secrets as a lucrative tactic. This form of extortion often proves more profitable than selling personally identifiable information on illicit dark web markets.

While the breach poses a lower risk compared to attacks involving payment card data, concerns remain about the nature of the information exposed. The lawsuit highlights Madison Square Garden’s use of facial recognition technology, initiated at events like the 2018 Grammy Awards, which the company claims is intended to identify security threats. Privacy advocates and plaintiffs’ attorneys argue that the company has historically disregarded consumer privacy rights, stating that fans and attendees should not forfeit their privacy at Madison Square Garden’s gates.

The lawsuits seek monetary damages, reimbursement of legal expenses, and revisions to the affected companies’ privacy policies and security practices. Previous cyberattacks have also targeted Madison Square Garden, including a 2025 breach by the hacking group Cl0p that exposed Social Security numbers of employees.

ShinyHunters, formed around 2020, has a documented history of cyber extortion operations targeting multiple organizations. Among recent incidents, the group claimed responsibility for a May cyberattack on Canvas, a widely used educational software platform, leading to negotiations in which the stolen data was returned. Lawmakers, including Representative Laura Friedman of California, have urged federal agencies to investigate such breaches and hold perpetrators accountable.

Cybersecurity experts recommend that individuals potentially affected by the Madison Square Garden breach take immediate precautions, such as updating passwords, enabling two-factor authentication, and placing credit freezes with major credit bureaus to reduce the risk of identity theft or fraud.

This article was reported by synthesizing coverage from multiple independent news outlets to present a balanced, unbiased account. Read about our editorial standards. Spotted an error? Let us know.