Security Experts:

Connect with us

Hi, what are you looking for?



Madison Square Garden Discovers Payment System Breach

The Madison Square Garden Company (MSG) informed customers on Tuesday that their payment card data may have been stolen by cybercriminals who installed a piece of malware on its payment processing system.

The Madison Square Garden Company (MSG) informed customers on Tuesday that their payment card data may have been stolen by cybercriminals who installed a piece of malware on its payment processing system.

MSG launched an investigation after card issuers noticed a suspicious transaction pattern. The cybersecurity firm called in to investigate determined that the attackers had access to the company’s systems since November 9, 2015.

The malware they used collected credit and debit card data as it was being routed through the system for authorization, MSG said. The stolen data included cardholder name, card number, expiration date and internal verification code.

The company believes the incident affects customers who swiped their cards to purchase merchandise or food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater and Chicago Theater between November 9, 2015, and October 24, 2016. Cards used on the MSG website or at venue Box Offices don’t appear to be impacted.

“MSG has stopped this incident, and we continue to work with the computer security firms to further strengthen the security of our systems to help prevent this from happening again. We have also been providing information to law enforcement regarding this matter,” the company stated.

The notifications sent out to customers include advice on how they can protect themselves against fraud and identity theft, but the company has not offered to cover the costs of specialized protection services.

“No one has been immune: large retailers, popular restaurant chains, massive hotel groups – all have fallen prey to similar attacks. It can be very difficult for teams with little to no cyber security resources on staff to detect and respond to attacks like this,” said Richard Henderson, global security strategist at Absolute Software.

“Far too many organizations focus on checklist goals and meeting their latest PCI compliance audit instead of actively monitoring payment card networks for indicators of compromise that may be indicative of a breach. The bottom line is simple: attackers don’t care that you passed your last audit,” Henderson added.

Several major companies reported suffering a payment card breach in the past months, including HEI, Kimpton Hotels & Restaurants, Noodles & Company, Hard Rock Hotel & Casino Las Vegas, Eddie Bauer and Omni Hotels.

Related: 3.7 Million Exposed in Banner Health Breach

Related: Details of 133,000 Three Customers Stolen by Hackers

Related: MICROS Hackers Targeted Five Other PoS Vendors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...