A high-stakes ‘vishing’ attack on June 5, 2026, allowed cybercrime group ShinyHunters to breach Madison Square Garden Entertainment’s network after hackers phoned a low-level employee, impersonated a trusted caller, and hijacked their Microsoft Entra credentials.

The breach produced 45 gigabytes of data spanning 26 million customer records, biometric surveillance logs, and a dossier on activists who had publicly opposed MSG’s facial recognition program.

ShinyHunters published the files on June 16 after MSG missed the June 15 ransom deadline. According to 404 Media, a document titled “Facial Recognition Activists.docx” was stored in a company-wide SharePoint folder and profiled three critics, drawing on their backgrounds, contact details, social media follower counts, and screenshots of public statements.

They are Adam Schwartz, privacy litigation director at the Electronic Frontier Foundation (EFF), Albert Fox Cahn, founder of the Surveillance Technology Oversight Project (STOP), and Evan Greer, director of Fight for the Future.

“Biometric surveillance like face recognition is especially dangerous, because we can’t change our faces and we show them wherever we go,” Schwartz told CNET.

MSG has deployed facial recognition cameras at its venues since 2018. A Wired investigation in April 2026 found Chief Security Officer John Eversole scraped photos from more than 90 law firm websites, adding roughly 1,200 attorneys in active litigation against the company to its recognition database.

At least three federal class-action lawsuits have been filed, including Avalo v. MSG Entertainment in the Southern District of New York seeking $5 million in initial damages.

“No one should be tracked by a company or excluded from a venue for exercising their right to free speech,” STOP Executive Director Michelle Dahl stated, calling on the New York City Council to ban biometric surveillance in arenas and public accommodations.