New York City

Garden of Woe as Madison Square Garden Faces Lawsuit Over Alleged Face Data Leak

AI Assisted Icon
Published on July 10, 2026
Garden of Woe as Madison Square Garden Faces Lawsuit Over Alleged Face Data LeakSource: Wikipedia/Ajay Suresh from New York, NY, USA, CC BY 2.0, via Wikimedia Commons

Madison Square Garden is staring down a proposed class-action lawsuit after what the complaint describes as a June cyberattack that exposed millions of visitors' records, including facial biometric profiles and internal "threat" ratings. The filing says the extortion group ShinyHunters published a sizable cache of files and alleges the arena operator failed to warn or protect affected patrons. Lawyers and privacy experts warn that when biometric identifiers are exposed, the fallout can last for years, because unlike a password, biometric data cannot be changed.

What the lawsuit says

The suit, Henggao Cai v. Madison Square Garden Sports Corp., Case No. 1:26-cv-05103, was filed June 17 in the U.S. District Court for the Southern District of New York, according to the court docket on Justia Dockets & Filings. As reported by Top Class Actions, plaintiff Henggao Cai, represented by Gary F. Lynch and Gerald D. Wells III of Lynch Carpenter LLP, alleges negligence and seeks damages, injunctive relief, restitution, and lifetime identity-theft protection for a proposed nationwide class. The complaint says Cai has spent time monitoring accounts and has suffered a loss of privacy along with an ongoing risk of identity theft.

Files leaked and scale of exposure

Security trackers and reporting say ShinyHunters published roughly 42 to 45 gigabytes of compressed data and claimed more than 26 million consumer and corporate records were exposed, including ticketing and account details, support emails, and facial-recognition surveillance logs and threat-assessment profiles, according to PKWARE. The scale and nature of the dump, widely described as unusually invasive because it contains biometric identifiers, prompted several federal class actions in New York within days of the leak, Front Office Sports reported.

How MSG tracked visitors

Public materials cited in the complaints and in prior reporting indicate the arena used a system known as eConnect, operated in connection with vendor Xtract One, to capture facial biometrics at entry points, automatically build profiles, and assign threat scores that help determine security treatment. WIRED documented vendor materials and internal "work-ups" and reported a roughly $6 million investment tied to the technology, and Hoodline later summarized that investigation for local readers in April.

What plaintiffs want and what comes next

The complaint says Madison Square Garden Sports has not issued a public statement or offered identity-theft monitoring to affected individuals, and it demands a jury trial along with unspecified damages and injunctive relief, according to the filing noted by Top Class Actions. Multiple related suits were filed in New York federal court in the days after the leak, increasing pressure on the company to disclose what was taken and how it plans to protect fans, Front Office Sports reported.

Why this matters for fans

Biometric identifiers are effectively permanent. Unlike a password or card number, you cannot reset a face, which makes leaks of facial-recognition logs uniquely risky for long-term identity and surveillance harms, cybersecurity analysts note (PKWARE). Privacy advocates and city officials who previously questioned MSG’s surveillance practices are likely to press for answers as these cases move forward, as Hoodline reported when it summarized the original WIRED investigation of MSG's surveillance.