The turnstile that used to check your ticket now measures your face, scores you, and files you away.<\/h5>\n\n\n\n![\"Blue-toned](\"https:\/\/media.reclaimthenet.org\/2026\/06\/OM4diUByWADv-scaled.jpg\")
<\/figure>\n\n\n\nBy Ken Macon<\/p>\n\n\n\n
Amongst the 42 gigabytes of data that hackers dumped onto the open internet this month is a file that rates the actor Ben Stiller as \u201cLow Risk.\u201d<\/p>\n\n\n\n
Another, according to people who have seen the cache, flags the rapper A Boogie Wit da Hoodie as \u201cHigh Risk.\u201d A private company had been assigning threat scores to the people who walked through its doors and, those scores, along with the personal information used to build them, are now on a criminal leak site for anyone to download.<\/p>\n\n\n\n
A flurry of lawsuits has been filed. The defendants are the entertainment companies James Dolan controls. Chief among them is Madison Square Garden Entertainment, which owns the arena along with Radio City Music Hall, the Beacon Theatre, and the Chicago Theatre; beside it is Madison Square Garden Sports, the separate public company that owns the Knicks and the Rangers.<\/p>\n\n\n\n
We obtained a copy of the lawsuits for you here<\/a>, here<\/a>, here<\/a>, and here<\/a>. <\/strong><\/p>\n\n\n\nA third Dolan company, Sphere Entertainment, runs the Sphere in Las Vegas, spun off from MSG Entertainment in 2023. The four lawsuits do not all name the same company.<\/p>\n\n\n\n
In June 2026 the group was breached by ShinyHunters, a crew with a long record of high-profile data thefts. The hackers say they took roughly 26 million records, demanded a ransom, and published everything when MSG refused to pay. Four class actions followed within days in the Southern District of New York.<\/p>\n\n\n\n
On its face this is an ordinary corporate security failure, the kind that happens weekly. But MSG is not an ordinary defendant and the data it lost is not ordinary data. What makes the breach a civil-liberties story rather than an IT story is the thing the company had built at its entrances: a system that turned a ticket check into a biometric checkpoint.<\/p>\n\n\n\n
Walk into Madison Square Garden and you pass through what looks like a standard checkpoint: metal detectors, cameras, staff. The cameras feed a facial-recognition system.<\/p>\n\n\n\n
The arena began using face recognition around 2018, built around an outside vendor. Court filings say MSG put an initial $6 million into a company called Xtract One, whose cameras and detection hardware run software called eConnect through the entry lanes.<\/p>\n\n\n\n
Facial recognition works like this. A camera captures your face, software measures the geometry of your features (the distances and proportions that make it distinct) and turns that into a string of numbers called a faceprint, or biometric template. The faceprint is what gets stored. The next time you appear on camera, the system builds a new one and compares it against the saved set. A match is what the system calls recognition.<\/p>\n\n\n\n
A faceprint has one property that changes everything: it is permanent. When a database of faceprints leaks, the people in it are exposed for good because the identifier behind the exposure can never be revoked. That is what separates a biometric breach from the ordinary kind. It\u2019s not so easy to get a new face.<\/p>\n\n\n\n
On top of the faceprints, the lawsuits say, MSG built what its filings call \u201cthreat assessment profiles.\u201d The Avalos complaint describes the recipe: biometric data, plus a person\u2019s name and demographic details, plus their social-media activity.<\/p>\n\n\n\n
The vendor\u2019s CEO is quoted in the underlying reporting explaining how he can pull someone\u2019s photo off social media, feed it into the eConnect database, and flag that person as they walk up to the building. The system assigns a score.<\/p>\n\n\n\n
Court filings point to specific examples from WIRED\u2019s reporting: a child rated \u201cPriority 8 Watchlist\u201d over a supposedly invalid ticket, with \u201c100% confidence;\u201d a former employee, by then a police-academy recruit, tagged \u201cPriority 2 Watchlist\u201d under a note in capital letters that read \u201cOBSERVE: DO NOT APPROACH.\u201d The score decides whether a visitor is watched from across the room, met by an unfriendly guard, or refused entry.<\/p>\n\n\n\n
One complaint claims a profile like this is built for every visitor who enters the arena. That claim is pleaded on information and belief, not established, and MSG has not said publicly how much it collects or keeps.<\/p>\n\n\n\n
What is on the record, from reporting that predates the breach, is that the company has used the system for things that have nothing to do with stopping violence. In 2022 MSG used facial recognition to enforce a ban on lawyers whose firms were in litigation against it, reportedly scraping firm websites for photos of more than a thousand attorneys. One of them, Kelly Conlon, a New Jersey lawyer whose firm had a case against a restaurant under the MSG umbrella, was pulled out of the lobby of Radio City Music Hall<\/a> while chaperoning her daughter\u2019s Girl Scout troop at the Rockettes\u2019 Christmas Spectacular. The cameras flagged her; security turned her away. She did not practice in New York and was not even working on the case.<\/p>\n\n\n\nTwo different things are getting reported as if they were the same: what the leak is confirmed to contain, and what the lawsuits allege it might contain.<\/p>\n\n\n\n
Confirmed, from the sample 404 Media reviewed: customer personal information; a roster of \u201ctalent,\u201d including former Knicks players and coaches, with fields like \u201cclaim to fame\u201d and \u201ccost of talent\u201d; contact details for celebrities and their representatives; emails between customers and MSG; and at least two threat-assessment profiles of well-known people. The ransom note told MSG to pay or be posted. MSG did not pay.<\/p>\n\n\n\n
Alleged, but not established: that the full biometric database for tens of millions of people was in the stolen files. The complaints hedge here, saying the biometric data \u201cmay have been compromised\u201d and that the categories of stolen information are \u201cdangerously unclear.\u201d<\/p>\n\n\n\n
One complaint argues, on information and belief, that the files were unencrypted, reasoning that the attackers could plainly read what they took. Whether the faceprints sat in that unencrypted pile is the question discovery is built to answer.<\/p>\n\n\n\n
If the leak is only names, emails, and addresses, it is a bad breach that exposes millions to phishing and fraud, but a survivable one. If it includes faceprints, the harm has no fix because the victims can\u2019t change what was taken. Right now nobody outside MSG knows which it is, and the company\u2019s silence is itself part of the story.<\/p>\n\n\n\n
The four complaints are close cousins but their differences track the hardest open questions in American data-privacy law. They do not even agree on whom to sue: most name a single MSG entity, while Alan Pitt\u2019s names two, MSG Sports and MSG Entertainment together.<\/p>\n\n\n\n
Carlos Avalos and Victor Granados both attended events at the Garden. Pitt went to other venues, three shows at the Beacon Theatre and many at the Sphere, which stretches the proposed class past the arena. Henggao Cai takes the most aggressive position: he says he provided his information to MSG \u201cdirectly or indirectly.\u201d Those two words are a bid to sweep in people who never personally handed over their data but whose information reached MSG anyway, through a reseller, a third party, or a camera at the door. If that theory holds, the class grows enormously.<\/p>\n\n\n\n
The claims themselves are more conventional. Most rest on negligence: MSG owed visitors a duty to protect the data it collected, failed to secure it, and caused foreseeable harm.<\/p>\n\n\n\n
Several add negligence per se, which lets a plaintiff treat a statutory violation as proof of a breached duty. The statute is Section 5 of the Federal Trade Commission Act, which bars \u201cunfair or deceptive acts or practices\u201d and which the FTC has long read to require reasonable data security. Cai\u2019s complaint goes further, adding breach of implied contract, breach of the implied covenant of good faith, and unjust enrichment; Pitt\u2019s adds breach of fiduciary duty. The unjust-enrichment theory argues that MSG profited from data it then failed to protect.<\/p>\n\n\n\n
There is a wrinkle the plaintiffs concede: the FTC Act gives private individuals no right to sue. So it can\u2019t be a claim on its own. It rides along as the predicate for negligence per se, a move some courts accept and others throw out, and it is one of several places the litigation is untested.<\/p>\n\n\n\n
<\/figure>\n\n\n\nBy Ken Macon<\/p>\n\n\n\n
Amongst the 42 gigabytes of data that hackers dumped onto the open internet this month is a file that rates the actor Ben Stiller as \u201cLow Risk.\u201d<\/p>\n\n\n\n
Another, according to people who have seen the cache, flags the rapper A Boogie Wit da Hoodie as \u201cHigh Risk.\u201d A private company had been assigning threat scores to the people who walked through its doors and, those scores, along with the personal information used to build them, are now on a criminal leak site for anyone to download.<\/p>\n\n\n\n
A flurry of lawsuits has been filed. The defendants are the entertainment companies James Dolan controls. Chief among them is Madison Square Garden Entertainment, which owns the arena along with Radio City Music Hall, the Beacon Theatre, and the Chicago Theatre; beside it is Madison Square Garden Sports, the separate public company that owns the Knicks and the Rangers.<\/p>\n\n\n\n
We obtained a copy of the lawsuits for you here<\/a>, here<\/a>, here<\/a>, and here<\/a>. <\/strong><\/p>\n\n\n\n A third Dolan company, Sphere Entertainment, runs the Sphere in Las Vegas, spun off from MSG Entertainment in 2023. The four lawsuits do not all name the same company.<\/p>\n\n\n\n In June 2026 the group was breached by ShinyHunters, a crew with a long record of high-profile data thefts. The hackers say they took roughly 26 million records, demanded a ransom, and published everything when MSG refused to pay. Four class actions followed within days in the Southern District of New York.<\/p>\n\n\n\n On its face this is an ordinary corporate security failure, the kind that happens weekly. But MSG is not an ordinary defendant and the data it lost is not ordinary data. What makes the breach a civil-liberties story rather than an IT story is the thing the company had built at its entrances: a system that turned a ticket check into a biometric checkpoint.<\/p>\n\n\n\n Walk into Madison Square Garden and you pass through what looks like a standard checkpoint: metal detectors, cameras, staff. The cameras feed a facial-recognition system.<\/p>\n\n\n\n The arena began using face recognition around 2018, built around an outside vendor. Court filings say MSG put an initial $6 million into a company called Xtract One, whose cameras and detection hardware run software called eConnect through the entry lanes.<\/p>\n\n\n\n Facial recognition works like this. A camera captures your face, software measures the geometry of your features (the distances and proportions that make it distinct) and turns that into a string of numbers called a faceprint, or biometric template. The faceprint is what gets stored. The next time you appear on camera, the system builds a new one and compares it against the saved set. A match is what the system calls recognition.<\/p>\n\n\n\n A faceprint has one property that changes everything: it is permanent. When a database of faceprints leaks, the people in it are exposed for good because the identifier behind the exposure can never be revoked. That is what separates a biometric breach from the ordinary kind. It\u2019s not so easy to get a new face.<\/p>\n\n\n\n On top of the faceprints, the lawsuits say, MSG built what its filings call \u201cthreat assessment profiles.\u201d The Avalos complaint describes the recipe: biometric data, plus a person\u2019s name and demographic details, plus their social-media activity.<\/p>\n\n\n\n The vendor\u2019s CEO is quoted in the underlying reporting explaining how he can pull someone\u2019s photo off social media, feed it into the eConnect database, and flag that person as they walk up to the building. The system assigns a score.<\/p>\n\n\n\n Court filings point to specific examples from WIRED\u2019s reporting: a child rated \u201cPriority 8 Watchlist\u201d over a supposedly invalid ticket, with \u201c100% confidence;\u201d a former employee, by then a police-academy recruit, tagged \u201cPriority 2 Watchlist\u201d under a note in capital letters that read \u201cOBSERVE: DO NOT APPROACH.\u201d The score decides whether a visitor is watched from across the room, met by an unfriendly guard, or refused entry.<\/p>\n\n\n\n One complaint claims a profile like this is built for every visitor who enters the arena. That claim is pleaded on information and belief, not established, and MSG has not said publicly how much it collects or keeps.<\/p>\n\n\n\n What is on the record, from reporting that predates the breach, is that the company has used the system for things that have nothing to do with stopping violence. In 2022 MSG used facial recognition to enforce a ban on lawyers whose firms were in litigation against it, reportedly scraping firm websites for photos of more than a thousand attorneys. One of them, Kelly Conlon, a New Jersey lawyer whose firm had a case against a restaurant under the MSG umbrella, was pulled out of the lobby of Radio City Music Hall<\/a> while chaperoning her daughter\u2019s Girl Scout troop at the Rockettes\u2019 Christmas Spectacular. The cameras flagged her; security turned her away. She did not practice in New York and was not even working on the case.<\/p>\n\n\n\n Two different things are getting reported as if they were the same: what the leak is confirmed to contain, and what the lawsuits allege it might contain.<\/p>\n\n\n\n Confirmed, from the sample 404 Media reviewed: customer personal information; a roster of \u201ctalent,\u201d including former Knicks players and coaches, with fields like \u201cclaim to fame\u201d and \u201ccost of talent\u201d; contact details for celebrities and their representatives; emails between customers and MSG; and at least two threat-assessment profiles of well-known people. The ransom note told MSG to pay or be posted. MSG did not pay.<\/p>\n\n\n\n Alleged, but not established: that the full biometric database for tens of millions of people was in the stolen files. The complaints hedge here, saying the biometric data \u201cmay have been compromised\u201d and that the categories of stolen information are \u201cdangerously unclear.\u201d<\/p>\n\n\n\n One complaint argues, on information and belief, that the files were unencrypted, reasoning that the attackers could plainly read what they took. Whether the faceprints sat in that unencrypted pile is the question discovery is built to answer.<\/p>\n\n\n\n If the leak is only names, emails, and addresses, it is a bad breach that exposes millions to phishing and fraud, but a survivable one. If it includes faceprints, the harm has no fix because the victims can\u2019t change what was taken. Right now nobody outside MSG knows which it is, and the company\u2019s silence is itself part of the story.<\/p>\n\n\n\n The four complaints are close cousins but their differences track the hardest open questions in American data-privacy law. They do not even agree on whom to sue: most name a single MSG entity, while Alan Pitt\u2019s names two, MSG Sports and MSG Entertainment together.<\/p>\n\n\n\n Carlos Avalos and Victor Granados both attended events at the Garden. Pitt went to other venues, three shows at the Beacon Theatre and many at the Sphere, which stretches the proposed class past the arena. Henggao Cai takes the most aggressive position: he says he provided his information to MSG \u201cdirectly or indirectly.\u201d Those two words are a bid to sweep in people who never personally handed over their data but whose information reached MSG anyway, through a reseller, a third party, or a camera at the door. If that theory holds, the class grows enormously.<\/p>\n\n\n\n The claims themselves are more conventional. Most rest on negligence: MSG owed visitors a duty to protect the data it collected, failed to secure it, and caused foreseeable harm.<\/p>\n\n\n\n Several add negligence per se, which lets a plaintiff treat a statutory violation as proof of a breached duty. The statute is Section 5 of the Federal Trade Commission Act, which bars \u201cunfair or deceptive acts or practices\u201d and which the FTC has long read to require reasonable data security. Cai\u2019s complaint goes further, adding breach of implied contract, breach of the implied covenant of good faith, and unjust enrichment; Pitt\u2019s adds breach of fiduciary duty. The unjust-enrichment theory argues that MSG profited from data it then failed to protect.<\/p>\n\n\n\n There is a wrinkle the plaintiffs concede: the FTC Act gives private individuals no right to sue. So it can\u2019t be a claim on its own. It rides along as the predicate for negligence per se, a move some courts accept and others throw out, and it is one of several places the litigation is untested.<\/p>\n\n\n\n