ShinyHunters Leaks 45GB of Madison Square Garden Data

What Happened?

On June 20, 2025, the cybercriminal group ShinyHunters published a 45-gigabyte compressed file on a dark web forum containing data stolen from Madison Square Garden Entertainment (MSG). The leak occurred after the company failed to meet the ransom deadline of June 15, according to The Next Web. The hackers claim the dataset includes 26 million customer and corporate records, though this figure has not been independently verified. Among the leaked data are facial recognition surveillance logs, internal threat assessments, personal information such as names, addresses, emails, and possibly financial data. A federal class-action lawsuit has already been filed in the U.S. District Court for the Southern District of New York, alleging negligence and violations of the California Consumer Privacy Act (CCPA) and other laws.

Why Is This Important?

This leak is significant for several reasons. First, the inclusion of facial recognition data raises serious concerns about privacy and mass surveillance. MSG has previously faced criticism for its aggressive use of this technology, including banning lawyers involved in lawsuits against the company, as documented in a 2023 case. Second, the volume of data (45 GB) and the number of records (26 million) make it one of the largest leaks of the year, comparable to the 2024 Ticketmaster data breach that exposed 560 million records. Additionally, the publication of internal threat assessments could expose security vulnerabilities that other organizations might exploit, such as surveillance blind spots or operational procedures. The leak also underscores the growing threat of ransomware groups that combine data theft with extortion, a tactic that has been on the rise since 2020.

Consequences and Context

Immediate consequences include the federal class-action lawsuit seeking compensatory and punitive damages for the exposure of biometric and personal data. In the long term, customer trust in MSG could be affected, especially regarding the use of facial recognition. This incident adds to a series of high-profile leaks attributed to ShinyHunters, which previously targeted companies like Microsoft (in 2021, exposing 500 GB of data), Tokopedia (91 million records in 2020), and Wattpad (270 million records in 2020). The leak also highlights the vulnerability of biometric surveillance systems, which have been under regulatory scrutiny in the European Union and several U.S. states. The lawsuit will argue that MSG failed to implement adequate security measures, such as encrypting biometric data, which under the CCPA must be protected with reasonable security standards.

What Should Readers Know?

• If you are a customer or employee of MSG, your personal data (name, address, email, possibly financial data) may be compromised. Additionally, facial recognition records may include images and surveillance metadata, such as the time and location of each detection.
• Monitor your bank and credit accounts, and consider freezing your credit if you suspect misuse. According to the FTC, victims of data breaches are entitled to free credit reports.
• Be alert for potential phishing scams using this leak as a lure, as cybercriminals often exploit leaked data for targeted attacks.
• The leak of internal threat assessments could be used by other malicious actors to plan physical or cyber attacks against MSG facilities.

“The publication of facial recognition data is especially alarming, as it not only exposes personal information but also reveals behavioral patterns and locations. This could enable reverse surveillance or tracking of individuals without their consent.” — Cybersecurity analyst at TheVortiq.

Technical Analysis

The 45 GB dump includes, according to the hackers, 26 million records. However, the exact figure and the nature of all data have not been independently verified. The inclusion of facial surveillance logs suggests that MSG stores biometric data of attendees, which could violate privacy laws like the CCPA or GDPR if applicable to European citizens. The class-action lawsuit will argue that MSG failed to implement adequate security measures to protect this sensitive data. According to security experts, biometric data should be stored with end-to-end encryption and secure hashing, practices that MSG apparently did not follow. The ShinyHunters group claimed to have accessed the systems through credentials from a third-party vendor, underscoring supply chain risks. The leak also includes internal threat assessments detailing vulnerabilities in MSG's physical and cyber security, such as lack of network segmentation and poor access controls.

Lessons for Businesses

This incident reinforces the need to: (1) minimize biometric data collection by adopting a privacy-by-design approach; (2) encrypt sensitive data both at rest and in transit using standards like AES-256; (3) conduct regular security audits, including penetration testing and third-party risk assessments; and (4) have an incident response plan that includes rapid notification to affected parties, complying with legal deadlines such as GDPR's 72 hours. Additionally, companies using facial recognition should assess the legal and reputational risks involved, especially in light of growing restrictions in cities like San Francisco and Portland, which have banned its use by government agencies. The leak also highlights the importance of password hygiene and multi-factor authentication to prevent unauthorized access. Companies should consider implementing a bug bounty program to identify vulnerabilities before attackers exploit them.