Madison Square Garden, the iconic New York City arena, has disclosed that it was affected by a significant data breach. This incident is part of a larger cybercrime campaign targeting users of Oracle’s E-Business Suite (EBS), orchestrated by the notorious Cl0p ransomware group.
Exploitation of Oracle EBS Vulnerabilities
The Cl0p ransomware group exploited zero-day vulnerabilities within Oracle’s EBS to infiltrate the systems of over 100 organizations. In November 2025, Madison Square Garden was publicly identified by these cybercriminals as a victim. Following this disclosure, data purportedly stolen from MSG was leaked online, suggesting that the company opted not to comply with ransom demands.
Official Confirmation and Response
Initially, Madison Square Garden did not offer comments on the breach. However, the organization has now confirmed the data breach and begun informing individuals whose personal data has been compromised. The breach was traced back to an Oracle EBS instance managed by a third-party service provider, which discovered that hackers had accessed sensitive data as early as August 2025.
Impact on Personal Information
The breach resulted in the exposure of personal information, including names and Social Security Numbers. The full scope of those affected remains unclear, but MSG Entertainment reported to the Maine Attorney General’s Office that 11 residents from the state have been impacted.
This incident underscores the importance of robust cybersecurity measures, particularly for organizations reliant on third-party vendors for data management.
With the increasing complexity of cyber threats, organizations like Madison Square Garden must continually enhance their security protocols to safeguard sensitive information and mitigate potential risks.
