ShinyHunters Leaked Facial Recognition Data From Madison Square Garden. 26 Million Records. The Knicks Deadline Passed.

The June 15 deadline passed. Madison Square Garden did not pay. ShinyHunters published 45 gigabytes on June 16.

What Was in the Dump

26 million records. The dataset covers ticketing operations, customer account details, and internal corporate documents tied to both the New York Knicks and New York Rangers.

The talent files are the part that will drive the litigation. ShinyHunters published personal details — addresses, contact information, and confidential notes including "claim to fame" and "cost of talent" — for Knicks players, coaches, and in some cases their representatives. That is not customer PII. That is operational intelligence about the business of professional sports.

The biometric data is the part that should drive the regulatory response. MSG has operated a facial recognition system at its venues for years — a system that has previously generated controversy when MSG used it to identify and deny entry to attorneys involved in litigation against the company. ShinyHunters published that facial recognition and background check data as part of the June 16 dump.

Facial recognition data is biometric data. Under Illinois BIPA, New York SHIELD, and the emerging patchwork of US state biometric privacy statutes, its unauthorized collection, retention, and disclosure carries specific liability. A class action has already been filed.

The Timeline

June 5: ShinyHunters accessed MSG systems.

June 15: Extortion deadline expired without payment.

June 16: 45GB published on ShinyHunters' leak site.

ShinyHunters' playbook is vishing-to-Okta-credential-capture plus Salesforce Experience Cloud misconfiguration. MSG runs enterprise SaaS at scale across ticketing, venue operations, team management, and corporate functions. The combination of a large SaaS estate, a confirmed ransomware payout culture developing across entertainment, and the high-value nature of the data made MSG a logical target.

Why the Facial Recognition Angle Matters

MSG's facial recognition system was controversial before this breach. The company used it to identify and bar entry to lawyers representing plaintiffs in lawsuits against MSG — a use case that generated significant legal scrutiny and an ongoing regulatory debate in New York about biometric surveillance at public venues.

That data is now public. The people whose biometric scans were in MSG's system — visitors, concertgoers, audience members who attended events without knowing they were being scanned — did not consent to their faces ending up on a dark web leak site.

The class action covers 26 million records. The biometric component may represent the most significant liability exposure in the case because biometric damages under state statutes are typically per-occurrence and statutory, not dependent on proof of actual harm.

ShinyHunters have now hit One Medical, DentaQuest, Medtronic, Canvas, Madison Square Garden, and Kodak in 2026. The pattern is consistent: high-value data, Okta/Salesforce entry, ransom deadline, publish on expiry. MSG joins the confirmed victim list.

Sources: BankInfoSecurity — 26M MSG records — The Next Web — facial recognition data — TechRepublic — 26 million records — HIBP

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register