Madison Square Garden has been hit with a proposed class action lawsuit alleging hackers accessed sensitive visitor data from up to 26 million people collected through controversial surveillance and facial-recognition systems used at the Knicks’ home arena.
The suit against Madison Square Garden Entertainment was filed Tuesday in New York federal court, one day after cybercrime group ShinyHunters claimed to have hacked the company’s internal systems to obtain everything from biometric facial recognition data and background check information to credit scores and Social Security numbers. The suit comes three days after the Knicks defeated the Spurs in Game 5 of the NBA Finals in San Antonio to take home the 2025-26 championship.
MSG Entertainment, which owns Madison Square Garden, is the only named defendant. Madison Square Garden Sports, a separate company, owns the Knicks and Rangers (and is considering a spinoff to separate the teams into separate entities). James Dolan is executive chairman and CEO of both organizations.
“Madison Square Garden, which is owned by the Defendant as well as its famous tenants (the NBA champion New York Knicks and the New York Rangers), is well regarded as one of the world’s most famous sports arenas,” the complaint says. “The arena is the sole professional sports venue located within Manhattan in New York City – and attracts visitors from around the world.”
The suit says MSG Entertainment has a “tempestuous history with respect to data privacy,” and notes that “despite a slew of lawsuits regarding this conduct, as well as consternation from privacy advocates and legislators in New York, the Arena—at the direction of its owner James Dolan—continues to collect biometric information from each visitor.”
The plaintiff, Carlos Avalo, claims his personal identifying information was collected when he attended a concert at MSG in September 2025. He “reasonably believes” his information was included in the new data breach and is “gravely concerned” about what was exposed.
ShinyHunters demanded that MSG Entertainment pay a ransom to avoid the more than 42 gigabytes of information being released, but the information has since been published online. Examples of information that is now out there include that actor and well-known Knicks fan Ben Stiller is considered “low risk” by MSG, while rapper A Boogie wit da Hoodie is considered “high risk.”
The suit claims that MSG Entertainment hasn’t adequately addressed the hack, including not yet notifying those affected. “Defendant’s response to the Data Breach has been woefully insufficient.” As of Wednesday morning, no statement had been issued by the company, and a representative for MSG Entertainment did not immediately respond to a request for comment.
Not the First Time
Meanwhile, the suit says this does not represent MSG’s first significant data breach, pointing to separate cyber attacks a decade ago and last year that resulted in hackers obtaining consumer data including credit card information and social security numbers.
“And yet, Defendant continued to collect, retain, and otherwise use the personal information of consumers to create threat assessments and for other purposes despite showing it was clearly incapable of handling this sensitive data,” the suit says.
The two-count complaint includes a negligence claim and says the class will include millions of members. It seeks at least $5 million in damages, and the actual amount will likely be far greater than that, because the lawsuit seeks restitution, multiple forms of damages, including actual damages and compensatory damages, plus attorneys’ fees and pre- and post-judgment interest on whatever amount is awarded. The attorney representing the plaintiff declined to offer additional comment.
The facial recognition technology has allegedly been used at MSG since 2018, and has come under fire before. In 2023, MSG Entertainment drew scrutiny, including from New York attorney general Letitia James, for using the technology to find and remove lawyers from Knicks and Rangers games for the sole reason that they worked at a firm that was involved in active litigation with the company.
The new hack of MSG Entertainment comes as the global sports industry has become a “top target” for cyber threats, according to a new report from U.K. cybersecurity firm Darktrace. The firm surveyed 875 IT cybersecurity professionals across sports organizations in the U.S., U.K., Australia, and Germany, and said 84% reported at least one “cyber incident” in the last year.
