A ticket scan may not be the only thing Madison Square Garden kept after a night out.
Hackers linked to ShinyHunters claim they leaked at least 26 million Madison Square Garden visitor records after a ransom deadline passed. The allegedly exposed data appears to include not only contact details, but also security reports, facial recognition-related profiles, and other records tied to people who entered or interacted with the venue.
That makes this more than just another customer data incident. If the leaked files are authentic, the breach shows how surveillance and venue-security data can become a lasting risk long after the event is over.
Hackers set ransom deadline
ShinyHunters posted the data on June 16, one day after its stated payment deadline passed. In the listing, the group said MSG had failed to reach an agreement “despite our incredible patience,” presenting the release as the result of an unresolved extortion demand.
Hackers also wrote, “When you pay us, your data is deleted, and you move on with your life. When you don’t pay us, you get posted here, among other things.”
The file size and record count were both listed as minimum figures. Madison Square Garden has not publicly confirmed the full scope.
A proposed class action has since been filed in New York federal court, but the security concern begins with what the files appear to contain.
What MSG kept after visitors walked in
Basic contact information would be serious enough. According to the leaked sample, the files included something even more sensitive about people who entered the venue.
The exposed material included security reports about visitors, profiles linked to facial recognition, and identifying details such as names and addresses. Some files reportedly involved public figures, but the concern is not limited to recognizable names.
Customer emails were also exposed, including messages from people who had raised concerns about MSG’s use of and retention of facial recognition data.
A person who questioned surveillance may have ended up inside the very data trail they were worried about.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Stored visitor data turns into breach material
Venue security records carry a different burden once they are saved. A company collecting that kind of information has to decide who can view it, how long it stays in the system, whether vendors can touch it, and whether old records should be deleted before they become useful to attackers.
Retention is the key issue. Data collected for a single event can outlive the reason it was gathered, particularly when it is stored in a searchable system or connected to other identifiers. Every extra field creates another path for misuse if the system is breached.
MSG’s surveillance practices had already drawn scrutiny before the hack. WIRED previously reported on the company’s use of facial recognition and detailed venue tracking, including reports that followed visitor movements down to the second.
Legal fallout has followed. Carlos Avalos, who said his information was collected when he attended an MSG concert in September 2025, filed a proposed class action accusing the company of failing to secure sensitive data, failing to provide timely notice, and leaving people without clarity on what was exposed.
Related reading: ShinyHunters is threatening to leak alleged Council of Europe HR data, including payroll and medical records.