5
min read
July 3, 2026

MSG Data Breach: The Championship of Data Extortion

With the rapid acceleration of cloud adoption and interconnected applications, corporate data environments are growing more complex by the hour. As organizations rush to integrate new tools, they are leaving behind a trail of exposed credentials, overprivileged access, and unmonitored assets.

The recent data breach at Madison Square Garden Sports (MSGS) highlights exactly what happens when a sophisticated threat actor gains access to the core of your operational stack. It is a textbook modern corporate extortion, demonstrating that the ultimate vulnerability isn't a flaw in your firewall — it is how you govern data and identities inside the SaaS layer.

Anatomy of a High-Visibility Shakedown

This was not a quiet, small, background data heist. The cybercriminal group known as ShinyHunters (them again!) exfiltrated approximately 46 GB of corporate and internal data from MSGS, compromising more than 26 million records. The stolen data included sensitive files tied to fans, employees, executives, celebrities, and New York Knicks personnel.

What makes this incident particularly devastating is the playbook the attackers deployed:

1) Weaponized Timing: While the initial intrusion reportedly occurred on June 5, the threat actors deliberately delayed their public announcement to coincide with the Knicks' high-profile championship run which culminated in a June 13th NY Knicks victory. They calculated that maximum media visibility would translate to maximum leverage.

2) The "Pay or Leak" Dilemma: Operating on a strict extortion model, ShinyHunters demanded a ransom and issued a hard deadline of June 15. When MSGS refused to comply, the group followed through on their threat, releasing the entire dataset for public download on June 16th.

3) The Scope of Exposure: The fallout goes far beyond basic financial information. The public leak exposed customer contact details, internal corporate notes, background check information, confidential talent management assessments, and potentially even biometric facial recognition data.

How exactly did the breach happen?

In this case, the hackers gained access through EntraID, likely the main SSO platform of MSGS. Everything important would be behind that SSO — database access, SaaS applications, HR systems, networks, etc

The hackers phished a low level employee to gain access to EntraID and took it a step further — they even had that employee fill out 2FA prompts for them and initiate the Self Service Password Reset process

The ‘new’ password was one that was promptly compromised by the hackers. This was done with something as simple as a phone call to that employee.

What did the hackers take? What was breached?

It appears that the hackers immediately went for Microsoft Sharepoint. In Microsoft heavy organizations, it’s usually where the most accessible data is stored and it would require little effort to access and dump if EntraID is already compromised. If Sharepoint sites were accessible org-wide (which they likely were), then the credentials of that low-level employee were enough for the hackers to dump and retrieve the contents.

According to 404Media who first reported the breach, sample data included family information of employees and players, pay scales, and even ‘risk’ profiles of performing artists and celebrities. 

The danger of collecting and storing too much

The sample data also contains facial recognition data of potentially millions of patrons. MSG had been utilizing facial recognition tech since 2018 “to provide a safe and wonderful experience for our guests” they said in a statement. 

The NYT reported in 2023 that in reality, this tech was used to detect individuals with legal battles against MSG networks to ban them from the premises. As a result of the breach, MSG has to now face another lawsuit by some of their customers who feel they were illegally monitored and now have biometric data exposed to the world to no fault of their own.

This illustrates the risk of housing this much customer data — even if the collection was legitimate, data retention policies allow for the scheduled purging of unnecessary high risk data, which prevents it from falling into the wrong hands. 

A modern identity threat

The MSG breach perfectly illustrates why traditional, perimeter-heavy security infrastructure fails to protect data once it resides inside corporate cloud environments. Let’s break down the core realities that security teams must face:

1. Business Metadata is Just as Dangerous as PII

Many security programs focus exclusively on protecting structured compliance data, like credit card numbers or social security codes. However, the MSGS incident proves that unstructured operational data — such as executive assessments, background investigations, and private internal notes — can cause equal legal, financial, and reputational damage when exposed. The cost of a data breach isn’t just monetary anymore. If your security tool cannot see or classify this context, you are blind to your actual risk surface.

2. Identity is the New Perimeter

Attacking groups like ShinyHunters rarely waste time trying to crack hardened network perimeters. Instead, they exploit compromised credentials, session tokens, cloud identities, or third-party app integrations to walk right through the front door. Once an identity is assumed or a token is hijacked, multi-factor authentication can be bypassed entirely, allowing threat actors to navigate corporate systems undetected.

3. The Procrastination Penalty is Lethal

Traditional security evaluations often rely on point-in-time checks or manual reviews. But threat actors move on an event-driven basis, exfiltrating vast amounts of data in narrow windows. When permissions stay open indefinitely, contractors retain access long after projects end, or internal files are shared with personal email accounts, these small security drifts accumulate into a massive blast radius.

Moving from Static Visibility to Real-Time Remediation

The critical lesson here is that simply knowing a file is shared or an account exists does not keep an organization secure.

If your security strategy stops at visibility, you have already lost the race against a live attacker.

When an incident occurs, the fallout lasts far longer than the breach itself.

Victims face heightened social engineering and phishing campaigns, while organizations must navigate regulatory penalties, public relations challenges, and potential litigation.

To protect modern SaaS ecosystems, data security can no longer operate on a delay. Organizations must transition to automated guardrails capable of discovering overshared assets, verifying identity context against HR systems, and instantly revoking access when data leaves trusted domains.

The objective is simple: ensure that an administrative oversight or compromised identity triggers an instant, automated correction rather than a business-disrupting headline.

{{cta-1}}

Albert is DoControl's Principal Solutions Engineer, where he leverages his extensive background in both pre-sales and post-sales consulting to help organizations strengthen their data protection strategies. Albert has built a reputation as a trusted technical consultant who bridges the gap between complex security solutions and real-world business needs.

His unique background in technical support has proven invaluable in winning customer trust, demonstrating his ability to translate technical expertise into measurable business outcomes. He brings this same combination of technical depth and customer-focused thinking to his writing, offering practical insights for security and IT professionals navigating the evolving SaaS security landscape.

Does ShinyHunters have access to YOUR data? 🏀📄

Don't become the next headline. Get a FREE SaaS risk assessment and see who has access to your data today.

Get updates to your inbox

Our latest tips, insights, and news
Tablet top edge with front camera and purple slider control with four dots.