The Madison Square Garden Company (MSG) informed customers on Tuesday that their payment card data may have been stolen by cybercriminals who installed a piece of malware on its payment processing system.
MSG launched an investigation after card issuers noticed a suspicious transaction pattern. The cybersecurity firm called in to investigate determined that the attackers had access to the company’s systems since November 9, 2015.
The malware they used collected credit and debit card data as it was being routed through the system for authorization, MSG said. The stolen data included cardholder name, card number, expiration date and internal verification code.
The company believes the incident affects customers who swiped their cards to purchase merchandise or food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater and Chicago Theater between November 9, 2015, and October 24, 2016. Cards used on the MSG website or at venue Box Offices don’t appear to be impacted.
“MSG has stopped this incident, and we continue to work with the computer security firms to further strengthen the security of our systems to help prevent this from happening again. We have also been providing information to law enforcement regarding this matter,” the company stated.
The notifications sent out to customers include advice on how they can protect themselves against fraud and identity theft, but the company has not offered to cover the costs of specialized protection services.
“No one has been immune: large retailers, popular restaurant chains, massive hotel groups – all have fallen prey to similar attacks. It can be very difficult for teams with little to no cyber security resources on staff to detect and respond to attacks like this,” said Richard Henderson, global security strategist at Absolute Software.
“Far too many organizations focus on checklist goals and meeting their latest PCI compliance audit instead of actively monitoring payment card networks for indicators of compromise that may be indicative of a breach. The bottom line is simple: attackers don’t care that you passed your last audit,” Henderson added.
Several major companies reported suffering a payment card breach in the past months, including HEI, Kimpton Hotels & Restaurants, Noodles & Company, Hard Rock Hotel & Casino Las Vegas, Eddie Bauer and Omni Hotels.