MADISON Square Garden confirmed a data breach tied to the 2025 Oracle E-Business Suite hacking campaign, part of a wider operation that affected more than 100 organisations. In the campaign, the Cl0p ransomware group exploited zero-day flaws to access data from MSG and others, with breaches reported as occurring in August 2025 and the broader attack highlighted in November 2025.
An October 2025 emergency patch for a critical flaw tracked as CVE-2025-61882 (CVSS 9.8) was released by Oracle to address the vulnerability in the E-Business Suite, which attackers used to take control of the Oracle Concurrent Processing component.
According to the data breach notification letter sent to the Maine Attorney General’s Office, a file containing a name and Social Security number was involved, and MSG began notifying affected individuals after third-party verification confirmed the theft of personal data. MSG is offering affected individuals one year of credit monitoring, through Cyberscout, to help detect misuse of information and provide identity theft protection.