Cyber Incident Victim: Madison Square Garden Company
Date:
Nov 2015
Location:
United States of America
Summary
A cybersecurity incident potentially compromised payment card data of patrons at multiple entertainment venues, including Madison Square Garden and affiliated theaters, over an extended period. The breach targeted magnetic stripe information from transactions at on-site merchandise, food, and beverage vendors but excluded online sales, box office purchases, and Ticketmaster transactions. The company confirmed unauthorized access to payment systems during the affected timeframe and notified customers of the data exposure risk.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Madison Square Garden Co. (MSG) publicly disclosed a potential payment card data breach on November 22, 2016, notifying customers that hackers may have compromised magnetic stripe information from cards used at its venues. The company stated the unauthorized access occurred over an 11-month period between November 9, 2015, and October 24, 2016, affecting transactions processed at merchandise stands and food and beverage vendors within five entertainment venues: Madison Square Garden, The Theater at Madison Square Garden, Radio City Music Hall, Beacon Theatre, and The Chicago Theatre. The breach specifically targeted point-of-sale systems handling physical card payments at concession areas, excluding all digital and primary ticketing channels. Online sales through MSG platforms, box office transactions, and Ticketmaster purchases remained unaffected according to the company's investigation. While MSG did not specify the number of potentially compromised accounts, the extended exposure window across multiple high-traffic venues suggested significant potential impact on customers who made purchases during live events. The company's stock price showed minimal immediate reaction, rising 0.3% to $173.50 in after-hours trading following the disclosure.
MSG's announcement provided limited technical details about the breach's discovery mechanism or the attackers' methods, focusing instead on the confirmed scope of affected systems and timeframes. The company did not describe any containment measures taken during the intrusion period or specify whether forensic investigators identified malware on point-of-sale devices. No information was disclosed regarding whether encrypted data was accessed or if card verification codes (CVV) were compromised. The notification occurred approximately one month after the breach window closed, though the company did not clarify when during the 11-month period it first detected suspicious activity. MSG advised customers to review their payment card statements for unauthorized transactions but did not announce complimentary credit monitoring services in its initial statement. The breach marked the second cybersecurity incident disclosed by a major New York venue operator within three years, following a 2013 breach at the New York State Theater.