MSG Breach: Knicks Take the NBA Championship, ShinyHunters Takes the Data
My Knicks are winners. My city is joyous. My data was stolen. ShinyHunters in One.
As Knicks fans poured into the streets of New York to celebrate the team winning the NBA championship (in five games, after 53 years, y’all!), ShinyHunters were already nicking 45 GB of corporate and customer data from Madison Square Garden’s systems and delivering a ransom demand to the venue’s owner.
And on Monday, MSG let the deadline to pay up pass. The “or else” came shortly after, when ShinyHunters published the files, which contained 26 million customer records, customer support emails and some Talent files meant for internal use and which include their addresses, appearance fees, and risk-level ratings. So far, there’s no confirmation that any payment data was swiped.
“Sports organizations are attractive targets because they combine valuable data, high-profile individuals, complex vendor relationships, and digital systems that are expected to work under intense public pressure,” says Nathaniel Jones, vice president, security and AI strategy and field CISO at Darktrace.
It is the second time MSG has found itself the target of ransomware actors—when the Oracle E-Business Suite was breached by Cl0p operatives last August, the venue was among the victims. MSG is not alone—84% of sports organizations had experienced a cyber incident over the previous 12 months, according to Darktrace research. And nearly three in five say that they, like MSG, have been attacked more than once. They are also targets of phishing emails, 20% more than organizations in other sectors.
“The reported Madison Square Garden incident should be viewed in the context of a much wider pattern of cyber risk across professional sports,” says Jones. His company’s research “tells us this is not an isolated issue for a single team, venue, or league.”
A breach, of course, “does not need to disrupt a game to cause damage,” he says, pointing to the reputational and financial consequences that can follow when exposed data, compromised executive accounts, or trusted communications are used for fraud.
Jones urges organizations to prioritize cybersecurity as a business priority as sports become more digital and connected. “Organizations need visibility and control across the systems, identities, data, and partners that keep the business running,” he says.
ShinyHunters is a formidable opponent with a winning streak of successfully breaching high-value targets, often playing on trust relationships in their ecosystems. The group “has demonstrated repeatedly that the most valuable data in an organization is rarely the data an organization thinks to protect most carefully,” says Shane Barney, CISO at Keeper Security.
“Ticketing systems, customer support platforms and internal operational databases are not typically where security investment is concentrated, but they are where years of customer correspondence, internal profiles and sensitive business information quietly accumulate,” says Barney, representing “a gap this group consistently finds and exploits.”
Madison Square Garden’s latest cyber woes “must be used as a reminder that even companies with large budgets are not immune to cyberattacks,” says Matthieu Chan Tsin, senior vice president, resiliency services, at Cowbell.
Barney says it’s worth asking not only how the attacker got in, “but what they were able to reach once inside.”
Operational systems that are governed as administrative infrastructure rather than as high-value targets, he says, “often lack the access controls that more obviously sensitive environments receive” and “when access is not scoped to least privilege, monitored for anomalous behavior or time-limited, the blast radius of any compromise expands well beyond what the initial foothold would suggest.”
Those gaps can be closed by “centralizing access governance, enforcing least privilege across every system that touches customer or employee data and building in continuous monitoring” controls.
“For organizations watching this unfold, the more pressing question is whether they would have detected a similar exfiltration before the attacker announced it publicly. If the answer is uncertain, that is the gap worth addressing first,” says Barney.
While Tsin applauds MSG’s refusal to pay a ransom as “a valiant stand,” he says the Garden “may now be liable to incur a different type of damage.”
And indeed, the legal eagles didn’t waste any time taking aim at MSG. In a New York minute, class-action negligence claims have already hit the US District Court for the Southern District of New York, which contends that MSG’s notification efforts have fallen short. And the suit accuses the Garden of mishandling the reams of biometric and surveillance data that it gathers on visitors to the arena. MSG’s surveillance activities are a particularly sore point for many fans and privacy experts. There would be more than a smidge of irony if the Garden’s surveillance practices increased its liability in the ShinyHunters incident.
For the time being, fans should assume their information has been exposed and be on the alert for phishing attempts and the like. They should also use unique credentials for their accounts and activate MFA.
And one more thing: They should never forget “Knicks in Five!”
