Madison Square Garden Family of Companies has recently confirmed that it notified an undisclosed number of people about a significant data breach that exposed highly sensitive personal information, including names and Social Security numbers (SSNs). The company operates some of the most iconic entertainment venues in the United States — including Madison Square Garden, Radio City Music Hall, and others — making this cyber incident particularly noteworthy.

What Happened?

According to the notification to affected individuals, the breach traces back to August 2025, when an unauthorized person gained access to data stored in an Oracle E-Business Suite (EBS) application that was hosted and managed by a third-party vendor. This access was uncovered during an internal investigation completed in late November 2025.

Though the precise number of individuals who were notified hasn’t been publicly disclosed by Madison Square Garden (MSG), cybersecurity analysts and regulatory filings suggest that the breach affected tens of thousands of individuals, including current and former employees, contractors, and other corporate partners. External sources estimate the number of exposed records could be in excess of 130,000, encompassing full names, physical addresses, and Social Security numbers.

Attackers and the Vulnerability

Cybersecurity researchers have linked this breach to a broader campaign by the Clop (Cl0p) ransomware and extortion group. Clop is known for exploiting zero-day vulnerabilities — previously unknown security flaws — most notably within Oracle’s EBS software. In 2025, Clop disclosed that it had successfully targeted hundreds of organizations using this vulnerability, forcing many into ransom negotiations or data exposure events.

In many instances with these attacks, Clop does not encrypt data (as traditional ransomware does), but instead steals sensitive information and threatens to publish or sell it unless a ransom is paid. It’s not clear whether MSG paid any ransom or resisted such demands.

What Information Was Exposed?

The data exposed in this breach appears to have included:

• Full names
• Social Security numbers
• Physical home addresses
• Potentially other business records related to payroll or employment

Because Social Security numbers are permanent identifiers, their compromise can pose a long-term identity theft risk for victims — far more serious than a lost credit card number, which can be reissued.

Company Response and Support for Victims

In response to the breach, MSG is offering one year of free credit monitoring and identity protection services through TransUnion to eligible individuals. People who received notification letters have 90 days to enroll in these services.

In addition to offering monitoring services, affected individuals are strongly advised to:

• Monitor financial accounts and credit reports for unusual activity.
• Consider placing fraud alerts or credit freezes on their files.
• Watch carefully for phishing attempts claiming to be from MSG or other entities.

Broader Context: Oracle EBS Security Issues

The MSG breach is part of a larger pattern of cybersecurity incidents tied to vulnerabilities in Oracle’s E-Business Suite. Numerous other organizations — including universities, large enterprises, and public agencies — have reported similar breaches after weaknesses in that software were exploited by cybercriminals.

This underscores a growing concern in the corporate world: even well-established brands and entertainment giants remain vulnerable when back-end business systems are compromised. It also highlights the importance of regular software patching, third-party vendor oversight, and proactive cybersecurity defenses across all business platforms.