
Editor's Note: This article has been updated to reflect a subsequent development in one of the cases referenced below.
Madison Square Garden is staring down proposed class-action lawsuits after what the complaints describe as a June cyberattack that exposed millions of visitors' records, including facial biometric profiles and internal "threat" ratings. The filings say the extortion group ShinyHunters published a sizable cache of files and allege the arena operator failed to warn or protect affected patrons. Lawyers and privacy experts warn that when biometric identifiers are exposed, the fallout can last for years, because unlike a password, biometric data cannot be changed.
What the lawsuit says
One suit, Henggao Cai v. Madison Square Garden Sports Corp., Case No. 1:26-cv-05103, was filed June 17 in the U.S. District Court for the Southern District of New York, according to the court docket on Justia Dockets & Filings. As reported by Top Class Actions, plaintiff Henggao Cai, represented by Gary F. Lynch and Gerald D. Wells III of Lynch Carpenter LLP, alleged negligence and sought damages, injunctive relief, restitution, and lifetime identity-theft protection for a proposed nationwide class. The complaint said Cai had spent time monitoring accounts and had suffered a loss of privacy along with an ongoing risk of identity theft. That case was subsequently voluntarily dismissed without prejudice on June 30, 2026, pursuant to a notice filed by plaintiff's counsel under Fed. R. Civ. P. 41(a)(1)(A)(i), with each side bearing its own fees and costs.
Files leaked and scale of exposure
Security trackers and reporting say ShinyHunters published roughly 42 to 45 gigabytes of compressed data and claimed more than 26 million consumer and corporate records were exposed, including ticketing and account details, support emails, and facial-recognition surveillance logs and threat-assessment profiles, according to PKWARE. The scale and nature of the dump, widely described as unusually invasive because it contains biometric identifiers, prompted several federal class actions in New York within days of the leak, Front Office Sports reported.
How MSG tracked visitors
Public materials cited in the complaints and in prior reporting indicate the arena used a system known as eConnect, operated in connection with vendor Xtract One, to capture facial biometrics at entry points, automatically build profiles, and assign threat scores that help determine security treatment. WIRED documented vendor materials and internal "work-ups" and reported a roughly $6 million investment tied to the technology, and Hoodline later summarized that investigation for local readers in April.
What plaintiffs want and what comes next
Among the related suits still active, the complaint in Avalo v. Madison Square Garden Entertainment Corp. says Madison Square Garden has not issued a public statement or offered identity-theft monitoring to affected individuals, and it demands a jury trial along with unspecified damages and injunctive relief, according to reporting by Front Office Sports. Multiple related suits were filed in New York federal court in the days after the leak, increasing pressure on the company to disclose what was taken and how it plans to protect fans.
Why this matters for fans
Biometric identifiers are effectively permanent. Unlike a password or card number, you cannot reset a face, which makes leaks of facial-recognition logs uniquely risky for long-term identity and surveillance harms, cybersecurity analysts note (PKWARE). Privacy advocates and city officials who previously questioned MSG’s surveillance practices are likely to press for answers as these cases move forward, as Hoodline reported when it summarized the original WIRED investigation of MSG's surveillance.









