MSG Data Breach Lawsuit Puts Dolan’s Facial Recognition/Data Fight in Spotlight

Madison Square Garden Entertainment is facing a proposed class action lawsuit over an apparent data breach that allegedly exposed sensitive information tied to the company’s controversial surveillance and facial recognition systems, putting James Dolan’s long-running fight over venue access and biometric screening back under renewed scrutiny.

The lawsuit, filed June 16 in federal court in the Southern District of New York by plaintiff Carlos Avalos (embedded below), accuses MSG Entertainment of failing to properly secure personally identifiable information collected from visitors to Madison Square Garden. The complaint alleges that hackers associated with ShinyHunters posted a data cache described as more than 42 gigabytes of compressed data and more than 26 million records after MSG did not pay a ransom.

MSG Entertainment, which owns Madison Square Garden, is the named defendant. Madison Square Garden Sports, which owns the New York Knicks and New York Rangers, is not. MSG has not yet publicly responded to the alleged breach, or the lawsuit.

In the complaint, the data incident is framed as an action driven by MSG’s “recidivist disregard for consumer privacy” and “complete and utter failure to properly secure and safeguard personally identifable information.”

“Defendant has a tempestuous history with respect to data privacy,” the complaint continues. “Defendant is infamous for collecting biometric facial recognitition data from each consumer which enters the arena. Despite a slew of lawsuits regarding this conduct, as well as consternation from pravacy advocates and legislators in New York, the Arena – at the direction of its owner James Dolan – continues to collect [this] information from each visitor.”

According to the filing, the allegedly exposed data includes threat assessment reports, address information, celebrity data, internal documents on talent costs, contact information for talent representatives, and correspondence from consumers raising concerns about MSG’s facial recognition practices. It also alleges that samples reviewed by media outlets included risk-assessment profiles tied to biometric data and other identifiers.

Avalos alleges his information was collected when he attended a September 2025 concert at MSG and says he believes it was compromised because the breach allegedly included threat-assessment profiles for millions of visitors from the same period.

The proposed nationwide class would include all U.S. residents whose personally identifiable information was maintained by MSG and allegedly compromised.

The lawsuit brings negligence and negligence per se claims, arguing MSG had a duty to use reasonable data-security practices given the sensitivity of the information it collected. It seeks class certification, damages, restitution, penalties where available, attorneys’ fees, and injunctive relief requiring improved data protections.

The complaint emphasizes the nature of the data, alleging MSG collected more information than necessary and used biometric, social media and other inputs to build threat assessment profiles for attendees. That system has been the subject of years of legal and political controversy in New York.

TicketNews previously covered MSG’s use of facial recognition to enforce a ban on attorneys whose firms were involved in litigation against the company. The policy drew widespread attention after lawyers were denied entry to events, including a widely reported incident in which an attorney chaperoning her daughter’s Girl Scout troop at a Rockettes performance was escorted out.

The ban also intersected with ticketing law. One targeted firm was involved in litigation accusing MSG and teams at its venues of violating New York Arts & Cultural Affairs Law protections, including rules against denying entry to holders of valid resale tickets or canceling tickets because they were resold.

MSG defended the policy as lawful conduct by a private business. Critics, including lawmakers and New York Attorney General Letitia James, argued that using facial recognition in this way raised broader civil rights and consumer access concerns.

“Anyone with a ticket to an event should not be concerned that they may be wrongfully denied entry based on their appearance,” James said in 2023, warning the practice could violate state and federal law.

The controversy drew scrutiny from the New York State Liquor Authority, which reportedly questioned MSG’s ability to maintain liquor licenses while excluding patrons. Lawmakers also threatened to revisit the venue’s long-standing property tax exemption.

The new lawsuit adds a different dimension. Where earlier disputes focused on whether MSG could use biometric tools to exclude perceived adversaries, the complaint asks what happens when a company collects that level of sensitive data and then allegedly fails to secure it. It cites prior reporting on MSG’s “Threat Management Department,” as well as vendor technology, watchlists and tracking systems that generated time-stamped movement logs and risk labels.

The lawsuit points to examples referenced in that reporting, including a child allegedly placed on a watchlist after using an invalid ticket and a former employee flagged as “Priority 2 Watchlist” with an alert reading “OBSERVE: DO NOT APPROACH.” Those allegations remain unproven but highlight the central issue: not just whether basic personal data was exposed, but whether a major venue created detailed surveillance dossiers on attendees and failed to protect them.

The complaint also cites prior MSG-related cybersecurity incidents, including a 2015–2016 point-of-sale breach involving payment cards and a more recent Oracle eBusiness Suite breach involving employee data such as names and Social Security numbers.

It argues those incidents made the latest breach foreseeable and should have prompted stronger safeguards, particularly given the sensitivity of the data allegedly collected.

For the broader live events industry, the case arrives as more venues adopt facial recognition and other biometric tools for entry, payment and security. Operators often frame them as convenience or safety features, while privacy advocates warn they can become opaque access-control systems with limited consumer consent.

That concern has been especially tangible at MSG, where facial recognition was actively used to enforce an exclusion policy against perceived adversaries.

The lawsuit does not resolve those underlying questions or establish that all categories of alleged data were exposed. But it sharpens a central issue for fans and regulators: when a venue collects expansive data about who enters, where they go and how they are classified, the risk does not end at the turnstile.

If that information is retained and linked to broader identity records, it becomes a high-value cybersecurity target. The lawsuit seeks to hold MSG responsible for what it characterizes as the predictable result of building a powerful surveillance system without adequate safeguards.

MSG Data Breach Class Action Lawsuit Complaint: