The Madison Square Garden Family of Companies this week confirmed it notified an undisclosed number of people about an August 2025 data breach that compromised names and Social Security numbers.
The company, which operates famous entertainment venues like Madison Square Garden and Radio Music Hall, said hackers exploited a zero-day vulnerability in Oracle’s E-Business Suite software. The software was hosted and managed by an unnamed third-party vendor.
A ransomware group called Clop (Cl0p) took credit for the breach in November 2025. Around the same time, Clop successfully attacked hundreds of organizations by exploiting the Oracle zero-day vulnerability.
MSG has not acknowledged Clop’s claim, and Comparitech cannot independently verify it. We do not know how many people MSG notified, if MSG paid a ransom, or how much Clop demanded. Comparitech contacted Madison Square Garden Entertainment for comment and will update this article if it replies.
“Oracle notified its customers that a previously undisclosed condition in the application had been exploited by an unauthorized person to gain access to data from the application,” says MSG’s notice (PDF) to victims. “The investigation determined in late November 2025 that an unauthorized person gained access to some data from the application in August 2025.”
MSG is offering eligible victims one year of free credit monitoring through TransUnion. The deadline to enroll is 90 days from receipt of the notice letter.
Who is Clop?
Clop, or Cl0p, is a high-profile ransomware group that first surfaced in 2019. It specializes in exploiting zero-day software vulnerabilities, most recently in Oracle’s E-Business Suite and the Cleo file transfer software. Cl0p targets any organization using the vulnerable software. Like some other ransomware groups, Clop doesn’t always encrypt files. Instead, it steals data and then demands a ransom to not publish or sell it.
Clop claimed responsibility for 456 ransomware attacks in 2025, and 31 of the targeted organizations confirmed the resulting data breaches. The confirmed attacks alone compromised about 3.75 million personal records.
Some of Clop’s other victims that fell to the the Oracle zero-day exploit include Harvard University, GlobalLogic, SATO Corporation, and Dartmouth College.
In 2026 to date, Clop says it’s hacked another 123 organizations, including French labor union CFDT. It’s most recent attacks exploit a newer vulnerability in Gladinet CentreStack file servers.
Ransomware attacks in the USA
In 2025, Comparitech researchers logged 646 confirmed ransomware attacks on US organizations, plus 3,193 unconfirmed attack claims made by ransomware groups. Nearly 42 million records were breached in the confirmed attacks.
Clop was responsible for the third-largest of those attacks when it exploited the Oracle zero-day vulnerability at the University of Phoenix, which later notified 3.5 million people about the resulting breach.
In 2026, we’ve recorded 17 confirmed attacks so far and are monitoring 624 unconfirmed claims.
Other attacks confirmed this week include:
- The city of Carthage, TX reported a December 2024 breach claimed by Rhysida
- Hennessy Advisors notified 12,643 people about a March 2025 data breach claimed by LockBit
- KCI Telecommunications reported an August 2025 data breach claimed by Akira
- The Lewis Bear Company notified 555 people of a December 2025 data breach claimed by Akira
Ransomware attacks can both lock down computer systems and steal data, though Clop’s case, it’s most likely just the latter. If companies refuse to pay the ransom, cybercriminals threaten to sell or publish stolen data. The organizations that refuse to pay can face permanent data loss, extended downtime, and putting data subjects at increased risk of fraud.
About Madison Square Garden Family of Companies
The Madison Square Garden Family of Companies includes Madison Square Garden Sports Corp., Madison Square Garden Entertainment Corp., and Sphere Entertainment Co. It owns and operates famous entertainment venues including the titular Madison Square Garden, Radio City Music Hall, and the Las Vegas Sphere.
