Madison Square Garden Data Breach Class Action Lawsuit
Data Breach · Lawsuit Filed

Madison Square Garden Data Breach Class Action: Hackers Claim 26 Million Records as MSG Stays Silent

Published July 1, 2026

If you attended events at MSG venues like Madison Square Garden, Radio City, or the Beacon Theatre, this lawsuit could affect you — though the breach is unconfirmed and there is nothing to claim yet.

Sports and entertainment arena — Madison Square Garden data breach class action lawsuit over a claimed 26 million-record hack
A proposed class action alleges a data breach at MSG Sports and MSG Entertainment; the hackers claim more than 26 million records. MSG has not confirmed the breach.
Allegations Only · Breach Unconfirmed · No Settlement Yet

This article describes a class action complaint and an attacker's public claims. The statements below are unproven allegations. The MSG companies have not confirmed the breach, have not been found liable, there is no certified class, and nothing to claim at this time. This page is informational and is not legal advice.

What Is This About?

Madison Square Garden Sports Corp. and Madison Square Garden Entertainment Corp. — the companies behind the New York Knicks, the New York Rangers, Madison Square Garden, Radio City Music Hall, the Beacon Theatre, and The Chicago Theatre — are facing a proposed class action lawsuit over a claimed data breach. The complaint alleges the companies failed to adequately secure the personal information of their customers, and that hackers exposed internal MSG files online. The MSG companies have not publicly confirmed a breach, have not been found liable, and the allegations remain unproven.

The case is captioned Pitt v. Madison Square Garden Sports Corp., Case No. 1:26-cv-05184, and is pending in the U.S. District Court for the Southern District of New York. The named plaintiff, a Georgia resident who attended events at MSG venues, brings the case on behalf of a proposed nationwide class. The complaint asserts claims for negligence, negligence per se, unjust enrichment, breach of fiduciary duty, and breach of implied contract.

Status Complaint Filed · June 18, 2026 Proposed class action · Pitt v. Madison Square Garden Sports Corp. · Breach not confirmed by MSG
People Affected No confirmed count · 26M+ records claimed by hackers MSG has not announced the breach; the 26 million-record / 42 GB figure is the ShinyHunters group's unverified claim
Data Involved (Alleged) Internal files, contact info & talent records Reported fields include addresses, contact details, internal risk designations, and talent valuations — per media reports of the leak, unverified
Can I Claim? No — nothing to claim yet No settlement announced, no class certified, and no breach notification letters have gone out

How Many People Were Affected?

There is no company-confirmed number — and that gap is itself a central allegation in the lawsuit. According to the complaint, the MSG companies have not publicly announced the breach or notified affected individuals, leaving customers unaware their information may have been exposed.

The only figures come from the attackers. The ShinyHunters hacking group claimed responsibility for the incident and, according to reporting by 404 Media, claimed the stolen data spans roughly 42 GB of internal files containing more than 26 million records. Two cautions apply: that is the attacker's unverified claim, not a confirmed count, and a record count is not the same as a count of people — datasets like this often contain duplicate or overlapping entries. Until MSG confirms the incident or notification letters go out, any "number affected" is an estimate built on the hackers' say-so.

What Was in the Leaked Data?

According to media reports on the leak cited in the complaint, the published files go beyond basic contact information. They reportedly include files about specific sports teams and Knicks-related personalities with fields such as "address," "claim to fame," and "cost of talent," along with internal risk designations, talent valuations, and contact information for prominent individuals or their representatives. The complaint also alleges — on information and belief — that the data was unencrypted at the time of the breach.

The complaint further alleges that the MSG companies collect personal information from customers as a condition of service, including facial recognition and biometric data gathered through venue surveillance systems. All of these characterizations come from the complaint and from third-party reporting on the leaked files; the MSG companies have not confirmed what data, if any, was taken.

What the Lawsuit Alleges

The complaint alleges the MSG companies failed to implement reasonable, industry-standard cybersecurity — citing frameworks like the NIST Cybersecurity Framework and the FTC's data-security guidance — and that this failure made the breach a foreseeable consequence. It also alleges the companies compounded the harm by staying silent: because no breach notice has gone out, the complaint argues, affected customers have been deprived of the chance to protect themselves with credit freezes, fraud alerts, and account monitoring.

The suit brings five claims — negligence, negligence per se, unjust enrichment, breach of fiduciary duty, and breach of implied contract — and asks the court to certify a nationwide class, award damages (including punitive damages), and order injunctive relief requiring the companies to strengthen their security, notify every affected person, and pay for lifetime credit monitoring and identity-theft protection for class members. As with any complaint, these are requests tied to unproven allegations; a court has not ruled on whether the MSG companies' security was inadequate or whether a breach even occurred as described.

Is There an MSG Settlement Yet?

No. This is important: Pitt v. Madison Square Garden Sports Corp. is a newly filed lawsuit, not a settlement.

That means:

• There is no settlement fund.
• There is no claim form.
• There is no payout, and no deadline to act.
• Consumers do not need to do anything at this stage.

The filing of a complaint is the very beginning of a case, not the end. The MSG companies have not been found liable simply because a lawsuit was filed. If the case is ever resolved through a settlement or a class is certified, a formal claims process with its own eligibility rules and deadlines would be announced separately.

Who Could Be Affected?

The complaint proposes a nationwide class of all persons in the United States whose private information was accessed in the claimed breach. Because MSG has not confirmed the incident or identified whose data was involved, there is no way to verify membership at this stage — but the proposed class could potentially reach people who bought tickets or attended events at MSG venues, including Madison Square Garden, Radio City Music Hall, the Beacon Theatre, and The Chicago Theatre, as well as Knicks and Rangers customers.

If you have attended MSG events, it may be worth keeping ticket confirmations and account records in case a class is later certified and a claims process opens. There is nothing to file right now.

What Should Concerned Customers Do Now?

Since no breach notice has gone out, the practical steps are the standard precautions after any claimed exposure: watch your bank and card statements for unfamiliar activity, be skeptical of unsolicited calls, texts, and emails that reference MSG events or teams (breach data is commonly used to make phishing more convincing), and consider a fraud alert or credit freeze with the major credit bureaus if you are concerned. Also beware of scams: there is no MSG data breach claim form, and anyone asking you to pay a fee or "verify" bank details to receive an MSG settlement payment is running a scam.

This page is informational and is not legal advice. People with questions about their individual rights may want to speak with a licensed attorney in their state.

What Happens Next?

From here, the case will move through the normal early stages of federal litigation. The MSG companies may respond to the complaint or move to dismiss, the parties may exchange information in discovery — which could establish what actually happened and how many people were affected — and the plaintiff would, at some point, ask the court to certify a class. Related suits over the same incident may also be filed and consolidated.

OpenClassActions.com will continue watching the docket and any company disclosures for major updates, including any breach confirmation or notification program, a motion to dismiss, consolidation, class certification activity, or any future claim form.

Frequently Asked Questions

How many people were affected by the MSG data breach?

There is no confirmed number. MSG has not announced the breach or sent notices. The ShinyHunters group claims the data includes more than 26 million records across roughly 42 GB of files — an unverified attacker claim, and records are not the same as people.

Is there anything to claim right now?

No. There is no settlement, no fund, and no claim form. Anyone asking you to file a claim or pay a fee for an MSG data breach refund today is running a scam.

Who could be covered?

The complaint proposes a nationwide class of everyone in the U.S. whose private information was accessed in the claimed breach. No class has been certified, and the definition could change as the case develops.

Sources

• Class Action Complaint, Pitt v. Madison Square Garden Sports Corp., No. 1:26-cv-05184 (S.D.N.Y., filed June 18, 2026).
404 Media — "Hackers Publish Knicks and Madison Square Garden Data Online"


For more class actions keep scrolling below.
Status Complaint Filed — Proposed Class Action (Breach Unconfirmed by MSG)
Case Title Pitt v. Madison Square Garden Sports Corp.
Case Number 1:26-cv-05184
Court U.S. District Court, Southern District of New York
Date Filed June 18, 2026
Claims Negligence; negligence per se; unjust enrichment; breach of fiduciary duty; breach of implied contract

Related Data Breach Cases