Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 06, 2026 · 5 min read

MSG Told 131,000 People Their SSNs Were Stolen—Months After Hackers Leaked 210GB of Data

The Cl0p ransomware group exploited a zero day in Oracle's enterprise software. Over 100 companies were hit. Madison Square Garden is one of the first to start sending notifications.

An arena entrance at night with security barriers and dim overhead lighting, photographed in a moody editorial style with cool blue tones

131,000 People, Seven Months Late

Madison Square Garden Entertainment began notifying 131,070 individuals in March 2026 that their personal data, including names, addresses, and Social Security numbers, had been stolen in a cyberattack that happened in August 2025.

The Cl0p ransomware and extortion group had already claimed responsibility in November 2025, adding MSG to its data leak site and publishing more than 210 gigabytes of stolen files after the company apparently refused to pay a ransom. The stolen data has been publicly accessible for months. The notification letters are only arriving now.

The Oracle Zero Day That Hit 100 Companies

The breach traces back to CVE-2025-61882, a critical zero day vulnerability in Oracle's E-Business Suite with a CVSS score of 9.8 out of 10. The flaw sits in the BI Publisher Integration component of Oracle's Concurrent Processing product and can be exploited remotely by an unauthenticated attacker to achieve remote code execution.

Cl0p began exploiting the vulnerability as early as August 9, 2025, weeks before Oracle released a patch. Google's threat intelligence team documented suspicious activity dating back to July 10. By the time Oracle notified customers of what it called "a previously undisclosed condition in the application," the attackers had already been inside for weeks.

Over 100 companies were hit in the campaign. In a single 24 hour window between November 20 and 21, Cl0p claimed 29 additional victims. The list of named organizations includes Harvard University, The Washington Post, American Airlines subsidiary Envoy Air, Schneider Electric, Logitech, and Cox Enterprises.

What MSG Said

According to MSG's notification, the affected Oracle EBS instance was "hosted and managed for us by a vendor" for "certain workforce and financial operations." The compromised files contained business records related to hiring and payments, not ticket buyer data.

MSG is offering at least one year of complimentary credit monitoring and identity protection through Cyberscout, a TransUnion subsidiary. The company reported the incident to authorities in California and Maine, where 11 residents were confirmed affected.

MSG has not publicly acknowledged Cl0p's involvement, even though the group named itself and published the stolen data. The company's notification refers only to a "cybersecurity incident" involving a third party vendor.

The Extortion Playbook

Cl0p has refined its approach over the past two years. Rather than deploying ransomware that encrypts files and disrupts operations, the group focuses on data exfiltration and extortion. They find a zero day in widely used enterprise software, exploit it at scale before patches are available, steal data from as many organizations as possible, and then threaten to publish unless the victims pay.

This is the same playbook Cl0p used with the MOVEit Transfer vulnerability in 2023 and the GoAnywhere MFT flaw before that. The Oracle EBS campaign follows the identical pattern: find a critical flaw in software that thousands of enterprises depend on, exploit it before anyone can respond, and monetize the stolen data.

Starting September 29, 2025, the group launched a mass email campaign from hundreds of compromised third party accounts, contacting executives at victim organizations to inform them their data had been stolen. It is corporate extortion conducted at industrial scale.

The Third Party Problem

MSG's breach highlights a reality that most organizations prefer not to think about: your data security is only as strong as your weakest vendor. MSG did not operate the Oracle EBS instance that was breached. A third party vendor hosted and managed it. But it was MSG's employees and contractors whose Social Security numbers ended up on a ransomware group's leak site.

This is not a new problem. It is the same dynamic behind the SolarWinds attack, the Kaseya breach, and dozens of other incidents where attackers compromise a vendor to reach the actual target. The difference is scale. When the vulnerability sits in enterprise software used by thousands of companies, a single zero day can compromise an entire industry sector in weeks.

What to Do if You're Affected

If you receive a notification letter from Madison Square Garden Entertainment:

  • Enroll in the free credit monitoring immediately. One year is not enough, but it is better than nothing.
  • Freeze your credit with all three bureaus (Equifax, Experian, TransUnion). This prevents anyone from opening new accounts in your name, even with your SSN.
  • Monitor your existing accounts for unfamiliar transactions, especially payroll and tax related activity.
  • File an IRS Identity Protection PIN request to prevent fraudulent tax returns using your stolen SSN.

The data has been public for months. If you worked for or did business with MSG, assume your information is compromised and act accordingly. Do not wait for the letter.