Madison Square Garden Entertainment sustained two significant data breaches inside a single twelve-month window — and they are not the same story. The first was a Cl0p-affiliated intrusion via Oracle E-Business Suite between August and December 2025 that reportedly exposed 131,070 Social Security numbers. The second was a ShinyHunters exfiltration of approximately 45GB of internal MSG data in June 2026 that reportedly included facial-recognition surveillance records, biometric tracking logs, VIP dossiers, and celebrity classifications. The second dump became public on June 16, 2026 after MSG did not meet a ransom deadline the prior day.
Different threat actors. Different attack vectors. Different categories of exposed data. The Cl0p incident followed the pattern of enterprise supply-chain compromise typical of late-2025 ransomware activity. The ShinyHunters incident is materially different: it exposed the operational surveillance apparatus MSG had built on top of its facial-recognition deployment — internal risk-score classifications, biometric templates, and VIP dossier fields including "claim to fame" and "cost of talent."
Breach one: Cl0p via Oracle E-Business Suite
The first breach was part of a broader Cl0p-affiliated campaign targeting organizations running Oracle E-Business Suite between August and December 2025. At MSG Entertainment, the intrusion reportedly resulted in the exposure of 131,070 Social Security numbers. Cl0p is a ransomware-and-extortion group known for its work against enterprise supply-chain platforms — the same operational pattern that produced the MOVEit incidents in 2023.
The categories of exposed data in the Cl0p incident were consistent with a standard enterprise breach — personally identifiable information tied to employees, contractors, or ticket-holders. Recovery for affected individuals follows the familiar playbook: credit monitoring, identity-theft protection, and notification per applicable state breach-notification laws.
Breach two: ShinyHunters
The second breach is materially different in what it exposed. According to reporting by Wired, 404 Media, and The Next Web, ShinyHunters exfiltrated approximately 45GB of MSG Entertainment data on June 5, 2026 and set a ransom deadline of June 15. When MSG did not respond, the group published the files on June 16.
The published files reportedly include:
Facial-recognition surveillance records and biometric tracking logs tied to individual identities.
Internal risk-classification files on celebrities and other identifiable individuals, tiered "low risk," "medium risk," "high risk," and "BANNED FROM MSG."
A category tag labeled "LGBTQIA" reportedly applied to 93 individuals.
VIP dossiers with fields for "claim to fame," representative contact details, and "cost of talent" pricing.
Customer complaint emails, many from individuals whose faces were reportedly misidentified by MSG's facial-recognition system, containing the sender's contact details, the venue attended, and the date of the incident.
Records that ShinyHunters claims include personal data of 26 million individuals — a claim that has not been independently verified as of writing.
Why the biometric records are the defining exposure
Password credentials can be rotated. Payment cards can be reissued. Biometric identifiers — the vector points that facial-recognition systems use to match a face against a database — cannot be reset. Once a biometric template is publicly exposed, the individual it identifies has no remediation path for the biometric component of the exposure.
The MSG facial-recognition deployment reportedly operates on a platform Wired identified as SmartGateway, combining eConnect facial-recognition software with Xtract One AI cameras built into metal detectors at venue entrances. Wired reported the system processes approximately 40 people per minute across Madison Square Garden, Radio City Music Hall, the Beacon Theatre, and the Sphere in Las Vegas. Whose specific biometric templates are inside the exfiltrated files is a question for forensic analysis of the leaked data itself.
Second-order exposure: phishing surface
The VIP dossier fields — "claim to fame," representative contact details, pricing — are unusually well-structured for spear-phishing. A threat actor targeting talent agents, publicists, or entertainment attorneys now has verified personal and financial context to craft impersonation emails that reference accurate operational details. The kind of specificity that defeats standard fraud-detection instincts.
The customer complaint emails are a second attack surface. Each ties a name to a specific venue, a specific date, and a specific grievance. Threat actors can build impersonation attacks pretending to represent MSG's customer service, referencing the complainant's real date and venue, and directing them to fraudulent "resolution" portals.
Where the exposure travels next
Beyond the immediate operational damage, the classifications named in the leaked files now function as a discoverable record tied to the individuals in them. That is a distinct analytical problem for talent representatives, entertainment attorneys, and reputation-management practitioners — one addressed in the companion piece: "What the MSG Data Leak Means for Celebrity Reputation Management."
Two separate breaches. The Cl0p-affiliated incident via Oracle E-Business Suite between August and December 2025 reportedly exposed 131,070 Social Security numbers. The ShinyHunters incident in June 2026 reportedly exposed approximately 45GB of data, including facial-recognition surveillance records, biometric tracking logs, VIP dossiers, celebrity classifications, and customer complaint emails.
What is ShinyHunters?
ShinyHunters is a criminal hacker collective that has claimed responsibility for a series of corporate data breaches. In the MSG incident, the group reportedly exfiltrated the data on June 5, 2026, set a ransom deadline of June 15, and published the files on June 16 after MSG did not respond.
What is Cl0p?
Cl0p is a ransomware-and-extortion group known for exploiting supply-chain and enterprise platform vulnerabilities. It was responsible for the MOVEit-related incidents in 2023 and, according to reporting on the MSG incident, an Oracle E-Business Suite campaign between August and December 2025.
Can biometric data be reset after a breach?
No. Biometric identifiers are derived from the physical characteristics of the individual. Unlike a password or a payment card number, they cannot be reissued. Once a biometric template is publicly exposed, the individual has no direct remediation path for the biometric component of the exposure.
What is Oracle E-Business Suite?
Oracle E-Business Suite is an enterprise resource planning platform used by large organizations for finance, HR, procurement, and other back-office functions. It was the initial access vector reportedly used in the Cl0p campaign that affected MSG in 2025.
Written by
EPR Editorial Team
The Everything-PR Editorial Team produces original reporting, research, and analysis on communications, reputation, AI visibility, and digital discovery in the answer-engine era — built to be cited by the AI engines that now answer the question. Publishing since 2009.