Madison Square Garden Faces Class Actions Over a Facial-Recognition Data Breach (2026)
Madison Square Garden Faces Class Actions Over a Facial-Recognition Data Breach (2026)
Proposed class actions hit Madison Square Garden Entertainment in mid-June 2026 after hackers published internal data the plaintiffs say includes facial-recognition entry records. The suits, filed in the Southern District of New York, plead negligence. The allegations are unproven (see Avalo v. MSG Entertainment Corp., No. 1:26-cv-05095).
Information last verified on June 24, 2026. This is a developing story; we update it as the record changes.
Status: Proposed class actions filed in the Southern District of New York beginning June 16, 2026. The allegations are unproven and no court has ruled on the merits as of June 24, 2026.
Jurisdiction scope: This article addresses class-action litigation in federal court in New York and the underlying biometric and data-breach law. It is general legal information, not legal advice. For related topics see biometric privacy laws and New York biometric privacy rules.
What Happened
According to the complaints and widely reported breach coverage, the hacking group ShinyHunters published roughly 45 gigabytes of internal Madison Square Garden Entertainment data in mid-June 2026, reportedly after the company did not meet a ransom deadline. Plaintiffs and reporters describe the leaked trove as including the company's facial-recognition entry-surveillance logs and records, internal threat-assessment reports, background-check information, and customer records. The hackers claim the data covers up to 26 million people. Those figures are the hackers' and plaintiffs' assertions; MSG has not confirmed them, and they remain unverified by any court.
The first proposed class action followed quickly. In Avalo v. Madison Square Garden Entertainment Corp., No. 1:26-cv-05095 (S.D.N.Y. filed June 16, 2026), a concertgoer who says he attended an MSG concert in September 2025 alleges that the venue scanned his biometric and facial data at entry and that his information was exposed in the breach. The complaint pleads common-law negligence and negligence per se, alleging that MSG failed to implement reasonable data-security measures to protect the personal and biometric information it collected. It seeks at least $5 million in damages on behalf of a proposed class, along with restitution and a court order requiring MSG to strengthen its data-security and data-retention practices.
The Avalo case was not the only one. Reporting indicates that several more proposed class actions followed in the same court, with as many as five filed in the Southern District of New York by June 18, 2026. Each rests on similar theories: that MSG collected sensitive data, including facial-recognition records, and allegedly failed to safeguard it. Again, every one of these filings reflects allegations the plaintiffs must still prove. No defendant is liable merely because a complaint has been filed.
What the Law Actually Says
The most striking feature of these suits is what they do not plead. They do not bring a biometric-privacy statutory claim, because New York does not have one that private plaintiffs can sue under. Instead, the plaintiffs rely on common-law negligence.
In Illinois, a plaintiff in this situation would likely turn to the Biometric Information Privacy Act, codified at 740 ILCS 14. BIPA gives individuals a private right of action and sets liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees. That statutory structure is why Illinois has produced a wave of biometric litigation. We cover the mechanics on our BIPA overview page.
New York has no equivalent statute with a private right of action for biometric collection. New York City has a biometric-identifier ordinance aimed at commercial establishments, but it is narrow and does not give the broad statutory damages BIPA provides. So plaintiffs in the Southern District of New York plead the tort they can: negligence, and negligence per se, arguing that MSG owed a duty to use reasonable care in handling sensitive data, breached that duty, and caused harm when the data was exposed.
New York does regulate data security and breaches, but through a different channel. The Stop Hacks and Improve Electronic Data Security Act, the SHIELD Act, appears at N.Y. General Business Law 899-aa and 899-bb. Section 899-bb requires any business that holds the private information of New York residents to develop, implement, and maintain reasonable administrative, technical, and physical safeguards. Section 899-aa requires notice to affected New York residents when private information is accessed or acquired without authorization. The SHIELD Act, however, is enforced by the New York Attorney General, not by private plaintiffs, and its penalties run to the state rather than to individuals. Plaintiffs can still cite the SHIELD Act's reasonable-safeguards duty as evidence of the standard of care in a negligence per se theory, which is part of why the complaints reference reasonable security measures.
The negligence theory carries its own hurdles. In data-breach cases, federal courts often scrutinize whether plaintiffs have alleged a concrete, particularized injury sufficient for standing, and whether the breach caused that injury. These are contested questions that the court will address at the pleading stage. For background on how New York treats biometric data specifically, see our page on New York biometric privacy.
Analysis: Why This Matters
The following is analysis from the Recording Law Editorial Team.
This dispute sits at the seam between two ideas: that venues increasingly scan faces at the door, and that scanning faces creates a permanent, sensitive dataset that can be stolen. When a venue runs facial recognition at entry, it generates biometric records that, unlike a password, cannot be reset. A breach of that data is therefore different in kind from a leaked email address. The complaints lean heavily on that distinction.
The case also illustrates the patchwork nature of biometric protection in the United States. In Illinois, the statutory framework of BIPA gives individuals a direct, damages-backed cause of action. In New York and most other states, plaintiffs must reach for common-law negligence and breach-notification statutes that were not designed primarily around biometrics. The same alleged conduct can produce sharply different legal exposure depending on the state. That contrast, not any conclusion about MSG, is the durable lesson here.
We take no position on whether MSG violated any law, and we make no prediction about how these suits resolve. Whether the plaintiffs can establish standing, duty, breach, and injury is exactly what the litigation will test. For now, the filings are allegations.
How This Affects You
This section is general information, not advice about any individual situation.
People who pass through venues that use facial recognition at entry generally have limited visibility into what biometric data is collected, how long it is kept, and how it is secured. As a general matter, individuals who believe their data was exposed in a breach can review any notice the company sends, watch for identity-monitoring offers that breach defendants sometimes provide, and consider the protective steps that apply to any data-breach situation, such as monitoring financial accounts.
Legal options vary sharply by state. A resident of Illinois may have a statutory claim under BIPA that a resident of New York does not. Whether any particular person has a viable claim depends on where they live, where the conduct occurred, what data was involved, and how a court treats injury and standing. Anyone weighing a claim should consult a licensed attorney in the relevant jurisdiction. For a broader primer on the underlying rules, see our guides on biometric privacy laws and the Illinois BIPA framework.
What Happens Next
Because several proposed class actions were filed in the same court over the same alleged breach, the parties or the court may seek to consolidate the cases, and plaintiffs could move to coordinate them, including the possibility of multidistrict litigation if related suits surface in other districts. MSG can be expected to respond, and data-breach defendants frequently file motions to dismiss that challenge standing and the sufficiency of the negligence allegations. The pleading stage will likely shape whether and how the cases proceed.
Throughout, the central caveat holds. The breach figures, the 26-million claim, and the negligence allegations are assertions that the plaintiffs must prove. As of June 24, 2026, no court has ruled on the merits, and nothing here should be read as a finding that MSG did anything unlawful. This is a developing story, and the record may change.
This article is general legal information, not legal advice. It addresses federal class-action litigation in New York and the underlying New York and Illinois biometric and data-breach law, verified on June 24, 2026. Laws and dockets change, and the allegations described here are unproven. For advice about a specific situation, consult a licensed attorney in the relevant jurisdiction.
Sources
- Avalo v. Madison Square Garden Entertainment Corp., No. 1:26-cv-05095 (S.D.N.Y. filed June 16, 2026) (complaint; primary docket source, case name and number).
- N.Y. Gen. Bus. Law 899-aa (data-breach notification), New York State Senate: https://www.nysenate.gov/legislation/laws/GBS/899-AA
- N.Y. Gen. Bus. Law 899-bb (reasonable data-security safeguards), New York State Senate: https://www.nysenate.gov/legislation/laws/GBS/899-BB
- New York Attorney General, SHIELD Act overview: https://ag.ny.gov/resources/organizations/data-breach-reporting/shield-act
- Illinois Biometric Information Privacy Act, 740 ILCS 14, Illinois General Assembly: https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
- Biometric Update, reporting on the MSG breach lawsuits (corroboration): https://www.biometricupdate.com/202606/new-york-knicks-owner-sued-following-biometric-data-breach
Related articles
- Biometric privacy laws
- Illinois BIPA overview
- New York biometric privacy
- BIPA amendment retroactivity in the Seventh Circuit
- Florida facial-recognition wrongful-arrest lawsuit
- Connecticut facial-recognition law (PA 26-64)
Last updated: 2026-06-24. This is a developing story; details verified as of 2026-06-24.
Frequently Asked Questions
Was MSG facial recognition data leaked?
Plaintiffs and breach reporting allege that the hacking group ShinyHunters published roughly 45 GB of MSG internal data including facial-recognition entry records. Those claims are unproven allegations; as of June 24, 2026, no court has confirmed the scope of the breach, and MSG has not validated the hackers figures.
What is the MSG data breach lawsuit?
The lead suit is Avalo v. Madison Square Garden Entertainment Corp., No. 1:26-cv-05095, filed June 16, 2026 in the U.S. District Court for the Southern District of New York. A concertgoer alleges his biometric and facial data were scanned at entry and exposed in the breach, and pleads negligence and negligence per se.
Can you sue for a facial-recognition data breach in New York?
In New York, plaintiffs generally bring common-law negligence claims rather than a biometric-statute claim, because the state has no biometric-privacy statute with a private right of action. Whether such a suit succeeds depends on standing, duty, breach, and injury, which the court decides.
Does New York have a biometric privacy law like Illinois BIPA?
No. New York has no statewide biometric-privacy statute giving individuals a private right of action comparable to the Illinois Biometric Information Privacy Act (740 ILCS 14). That difference is why the MSG suits plead negligence instead of a biometric-statute claim.
What is the New York SHIELD Act and does it apply here?
The SHIELD Act (N.Y. Gen. Bus. Law 899-aa and 899-bb) requires businesses to maintain reasonable data-security safeguards and to notify New York residents of breaches. It is enforced by the state attorney general, not by private plaintiffs, though plaintiffs may cite its reasonable-safeguards duty in a negligence theory.
How much money does the MSG complaint seek?
The Avalo complaint seeks at least $5 million in damages on behalf of a proposed class, plus restitution and a court order requiring MSG to overhaul its data-security and data-retention practices. The amount is a pleading; no damages have been awarded.
How many lawsuits have been filed against MSG over the breach?
Reporting indicates that as many as five proposed class actions had been filed in the Southern District of New York by June 18, 2026, all arising from the same alleged breach and resting on similar negligence theories. The number may change as the docket develops.
Has a court found MSG liable?
No. As of June 24, 2026, these are filed complaints with unproven allegations. No court has ruled on the merits, found MSG liable, or confirmed the breach figures asserted by the hackers and plaintiffs.
Sources and References
- N.Y. Gen. Bus. Law 899-aa (data-breach notification)(nysenate.gov).gov
- N.Y. Gen. Bus. Law 899-bb (reasonable data-security safeguards)(nysenate.gov).gov
- New York Attorney General, SHIELD Act overview(ag.ny.gov).gov
- Illinois Biometric Information Privacy Act, 740 ILCS 14(ilga.gov).gov
- Biometric Update reporting on the MSG breach lawsuits (corroboration)(biometricupdate.com)