Cyber Incident Victim: Madison Square Garden Company

In August 2025, attackers exploited zero‑day vulnerabilities in Oracle’s E‑Business Suite to infiltrate the systems of more than 100 organizations, including the Madison Square Garden Company. The intrusion was carried out by the Cl0p ransomware and extortion group, which later identified Madison Square Garden as a victim of the campaign in November 2025. During the breach, the attackers exfiltrated more than 210 gigabytes of archive files from the company’s Oracle EBS environment. The stolen data was subsequently leaked by the cybercriminals after Madison Square Garden refused to pay a ransom demand. The compromised Oracle EBS instance was hosted and managed by a third‑party vendor, whose investigation confirmed the timing of the data theft.

Madison Square Garden did not respond to initial requests for comment following the leak, but later confirmed that it had suffered a data breach and began notifying individuals whose personal information was exposed. According to the company’s notifications, the compromised data included names and Social Security numbers. The total number of affected individuals has not been disclosed, although Madison Square Garden informed the Maine Attorney General’s Office that eleven residents of Maine were impacted. The company’s entertainment division, MSG Entertainment, handled the disclosure and notification process.

The breach is one of many incidents linked to the Oracle EBS zero‑day exploit that affected over a hundred organizations. Madison Square Garden, a world‑famous arena located in New York City, was identified by the attackers as a victim in November 2025. The compromised data included personal information such as names and Social Security numbers.