Madison Square Garden is now facing class-action lawsuits after an alleged cyberattack exposed what plaintiffs say may be one of the more sensitive venue-related data breaches in recent memory.
According to the lawsuits, a June cyberattack by ShinyHunters led to the leak of approximately 26 million records connected to Madison Square Garden and its parent companies. The alleged data set was not limited to basic customer information. The lawsuits claim the breach included internal emails, celebrity contacts, corporate documents, information connected to MSG’s biometric surveillance technology, dossiers on people who criticized facial recognition, and personally identifiable information belonging to customers.
That is why this incident matters beyond Madison Square Garden.
This is not just another data breach story. It is a warning about what happens when companies collect highly sensitive data, keep it for operational or security purposes, and then fail to protect it from attackers. When ordinary customer records are breached, the damage is serious. When biometric surveillance data, risk scores, internal dossiers, and identity-linked profiles are breached, the privacy consequences become much larger.
The MSG lawsuits are about more than a hack
The core issue in the lawsuits is not simply that hackers allegedly accessed MSG-related systems. The bigger question is why this much sensitive information existed in one place, how long it was retained, how it was secured, and whether customers had a meaningful understanding of what was being collected about them.
That distinction matters for privacy compliance.
A company can be the victim of a cyberattack and still face liability if plaintiffs can show the company collected excessive data, failed to use reasonable safeguards, delayed notification, ignored known risks, or failed to maintain a defensible privacy and security program.
In the Madison Square Garden case, the lawsuits reportedly allege that ShinyHunters published the records after MSG failed to reach an agreement with the hacking group. The alleged leak included more than customer names and email addresses. It reportedly included internal information about MSG’s facial recognition program, contacts for celebrities and representatives, corporate communications, and files connected to people who criticized MSG’s use of biometric surveillance.
That changes the character of the incident.
A stolen email list is one kind of breach. A stolen surveillance ecosystem is something else.
Why biometric data creates a different kind of privacy risk
Biometric data is not like a password. A password can be reset. A credit card can be reissued. A person’s face cannot be replaced.
That is why biometric information is treated as a higher-risk category under many privacy frameworks. Facial geometry, facial recognition templates, watchlist matches, access-control profiles, and identity-linked surveillance records can follow a person in ways ordinary contact information cannot.
For a venue, biometric systems may be introduced as a security tool. The business case is often framed around identifying banned individuals, detecting threats, preventing ticket fraud, or improving guest safety. But privacy risk does not disappear because the original purpose sounds legitimate.
The privacy question is broader:
- What biometric data is collected?
- Is it converted into a template or profile?
- Is it tied to a person’s name, ticket purchase, phone number, email address, social media activity, or behavioral record?
- How long is the data retained?
- Who has access to it?
- Is the data shared with vendors, law enforcement, affiliates, or contractors?
- Are customers clearly told what is happening before collection?
- Is the system monitored for security, misuse, and unauthorized access?
Those questions are now central to privacy compliance. Companies that use facial recognition, badge systems, visitor analytics, smart cameras, access-control vendors, or AI-enabled security tools need to treat these systems as regulated data processing activities, not merely physical security infrastructure.
The biggest privacy issue is data minimization
The Madison Square Garden lawsuits point to a recurring privacy failure: companies collect more data than they can responsibly govern.
Data minimization is supposed to be one of the simplest privacy principles. Only collect what you need. Only use it for a defined purpose. Only keep it as long as necessary. Only give access to people who need it. Delete it when the purpose is over.
In practice, companies often do the opposite.
Security teams want more information. Marketing teams want more profiles. Operations teams want more analytics. Executives want more visibility. Vendors make it easy to collect more than the business originally intended. Over time, a company can end up with sensitive data stores that nobody fully owns, nobody regularly audits, and nobody is eager to delete.
That is where privacy risk compounds.
The more sensitive the data, the less forgiving regulators, courts, and plaintiffs will be after a breach. If a company collects biometric data, threat profiles, identity-linked visitor records, or dossiers about individuals, it should expect hard questions after an incident:
Why did you collect it?
Why did you keep it?
Why was it accessible?
Why was it not encrypted or segmented?
Why were customers not clearly informed?
Why was there no faster detection and notification process?
Those questions are not just legal questions. They are governance questions.
New York law makes the MSG case especially important
Because MSG operates in New York, the lawsuits also sit against a legal backdrop that is unusually relevant to biometric data and breach response.
New York’s SHIELD Act requires businesses that maintain private information of New York residents to use reasonable administrative, technical, and physical safeguards. The law also expanded the definition of private information to include biometric information, as well as certain account credentials and other sensitive identifiers.
New York City also has a biometric identifier law that applies to certain commercial establishments, including places of entertainment. That law generally requires clear notice when a business collects, retains, converts, stores, or shares biometric identifier information from customers, and it restricts profiting from biometric identifier information.
That does not automatically mean MSG is liable. The lawsuits still need to be litigated, and MSG will have defenses. But the case shows why biometric data collection in New York is not a casual operational decision. It is a privacy compliance decision.
If a business uses face scans, fingerprint access, palm scans, voiceprints, or other biometric identifiers, it needs more than a vendor contract and a security rationale. It needs a documented compliance program.
What companies should learn from the MSG breach lawsuits
The most important lesson is that sensitive data should not be collected casually just because technology makes it possible.
Companies using biometric or surveillance tools should immediately review whether they have:
- A complete inventory of biometric and surveillance systems
- A written purpose for each collection activity
- Clear notices at the point of collection
- A retention schedule for biometric templates and related profiles
- Vendor contracts with security and privacy obligations
- Access controls limiting who can view or export sensitive records
- Encryption for stored biometric and identity-linked data
- Audit logs showing access, changes, and exports
- An incident response plan specific to sensitive data
- A process for deleting data that is no longer needed
This is also where many companies underestimate their exposure. They may have a general privacy policy, a cookie banner, or a vendor list, but they do not have a real map of sensitive data flows. That becomes a problem when a breach happens.
A privacy policy is not enough if the company cannot prove what data was collected, where it went, why it was retained, and how it was protected.
Biometric surveillance turns physical security into privacy compliance
For years, many companies treated cameras, visitor logs, badge scans, and venue security tools as physical security systems. That approach is outdated.
Modern security systems collect personal data. Many collect sensitive personal data. Some create profiles, scores, watchlists, or automated decisions about people. Once that happens, the system moves out of the narrow world of building security and into the broader world of privacy, cybersecurity, AI governance, and consumer protection.
This is especially true for stadiums, arenas, hotels, casinos, retailers, hospitals, schools, airports, office buildings, residential towers, and large event venues.
These organizations often process huge volumes of visitor data, including people who never created an online account and may not realize their identity or biometric information is being captured. That makes notice, consent where required, retention, vendor oversight, and security controls even more important.
The reputational damage may be worse than the breach notice
One of the most damaging parts of the MSG allegations is the claim that leaked records included information about people who criticized facial recognition technology.
That is the kind of fact pattern that regulators, journalists, plaintiffs’ lawyers, and the public understand immediately. It raises a simple question: was the company collecting data for safety, or was it building a surveillance apparatus around critics, customers, employees, attorneys, and public figures?
That question can be more damaging than the breach itself.
Data breaches are common. A breach involving alleged surveillance dossiers is different. It creates the impression that the company was not merely protecting a venue, but monitoring people in ways they did not expect and could not reasonably control.
For privacy teams, that is the real risk. A company can defend a security system. It is much harder to defend a system that appears excessive, opaque, or retaliatory.
Does your company use biometric or visitor surveillance tools?
Companies should not wait for a breach, lawsuit, or regulator letter to figure out what their surveillance systems are doing.
The first step is an inventory. Identify every tool that collects or processes biometric, visual, audio, location, access-control, or visitor-identification data. That includes cameras, facial recognition systems, smart entry tools, security vendors, ticketing integrations, identity verification systems, loss-prevention tools, and AI analytics platforms.
The second step is classification. Determine whether the data is ordinary personal information, sensitive personal information, biometric information, health information, employee information, children’s data, or another regulated category.
The third step is minimization. Delete what is not needed. Shorten retention periods. Remove unnecessary fields. Separate biometric templates from other identity records where possible. Limit exports. Restrict access.
The fourth step is notice and governance. Make sure customers, visitors, employees, and contractors receive the required disclosures. Update privacy notices. Review signage. Update vendor agreements. Document the business purpose. Maintain records showing why the system is necessary and how risks are controlled.
The fifth step is monitoring. Sensitive data environments need ongoing privacy and security monitoring, not an annual checklist. Companies should be watching for new vendors, new data flows, misconfigured systems, changes in tracking behavior, excessive retention, unauthorized access, and gaps between what the privacy notice says and what the company actually does.
Where Captain Compliance fits in
At Captain Compliance, we help companies identify and reduce the privacy risks that often sit beneath the surface of everyday business operations.
That includes cookie consent, privacy notices, DSAR workflows, vendor disclosures, data mapping, sensitive data reviews, and ongoing monitoring for privacy risk across websites and digital systems.
The Madison Square Garden lawsuits are a reminder that privacy compliance is no longer limited to websites and marketing pixels. It now reaches cameras, biometric systems, physical venues, AI tools, internal databases, vendor platforms, and security programs.
If your company collects personal information, biometric information, visitor data, customer profiles, or sensitive operational data, the question is not whether that data has business value. The question is whether you can defend the collection, secure the data, honor privacy rights, and delete what you no longer need.
That is the difference between using data and being exposed by it.
Learn more about how Captain Compliance helps businesses manage privacy risk and book a demo below.