Here is the complete intel brief.
title: "Madison Square Garden: Vishing Breach Exposes Knicks and Talent Records" date: 2026-06-24 slug: madison-square-garden-data-breach
Madison Square Garden: Vishing Breach Exposes Knicks and Talent Records
Madison Square Garden suffered a data breach in which attackers exfiltrated more than 45GB of internal data, including records related to "talent" and the New York Knicks, according to reporting by 404 Media. The publication's review of the stolen data, along with statements from the hackers themselves, indicates the intrusion began with a single phone call to a low level employee who was tricked into granting access to MSG's systems.
What Happened
The threat actors gained their initial foothold through social engineering conducted over a voice call, a technique commonly referred to as "vishing." Rather than relying on a malicious email or a spoofed login page, the attackers phoned a low level MSG employee directly and manipulated that person into letting them into the company's internal systems. Once inside, the actors were able to move through MSG's environment and stage a large volume of data for theft. 404 Media confirmed the breach through both direct communication with the hackers and an independent review of the stolen files, with clues embedded in that data pointing back to how the initial access was obtained.
What Was Taken
The hackers exfiltrated more than 45GB of data from Madison Square Garden. Among the stolen material were records described as relating to "talent," a category that for an entertainment and sports venue of MSG's scale can encompass performers, contractors, and the high profile individuals who appear at its events. The cache also included data tied to the New York Knicks, the NBA franchise that calls the arena home. The combination of talent and team related records raises the prospect of sensitive personal, contractual, and operational information being exposed. The full scope of personally identifiable information within the cache has not been publicly enumerated, but the volume alone signals a substantial loss.
Why It Matters
This incident is a clear demonstration that voice based social engineering has matured into a frontline threat rather than a fringe tactic. For years, phishing over email dominated the social engineering landscape because it scaled cheaply and exploited inbox habits. Vishing flips that model: it is personal, real time, and far harder for technical controls to filter. The rise of young, native English speaking threat actors has made these calls more convincing, because the attacker sounds like a colleague, a vendor, or an internal help desk agent. For organizations that have invested heavily in email security gateways and phishing simulations, MSG's breach is a reminder that the human voice remains an unguarded entry point, and that a single employee can become the pivot for a multi gigabyte data loss.
The Attack Technique
The attackers used vishing to defeat MSG's perimeter. According to the hackers, they called a low level employee and used pretext and persuasion to convince that person to let them into the company's systems. This approach bypasses many of the controls organizations rely on, because no malicious attachment is opened and no fake web page is visited. Instead, the employee is talked into performing a legitimate looking action, such as approving an access request, resetting a credential, or relaying a code, that hands the attacker the keys. Vishing campaigns of this kind frequently target lower level staff precisely because they may have less security training and are accustomed to following instructions from people claiming authority. Once access was granted, the actors leveraged it to locate and exfiltrate the 45GB cache.
What Organizations Should Do
- Train all staff, especially frontline and junior employees, to recognize vishing and to treat unsolicited calls requesting access, credentials, or multi factor codes as suspicious by default.
- Establish a strict, out of band verification process for any access or password reset request, requiring help desk and IT staff to confirm caller identity through a known internal channel before acting.
- Deploy phishing resistant multi factor authentication, such as hardware security keys or FIDO2 passkeys, so that a verbally relayed code cannot be used to complete a login.
- Enforce least privilege access so that any single compromised account exposes only a limited slice of data, and segment sensitive records such as talent and team information.
- Monitor for anomalous data access and large outbound transfers, with alerting tuned to flag bulk exfiltration before tens of gigabytes leave the network.
- Run regular vishing simulations alongside email phishing exercises, and build a low friction reporting path so employees can quickly escalate a suspicious call.