Madison Square Garden Entertainment impacted by Oracle EBS data breach

Madison Square Garden Entertainment Corp., the company running the popular indoor sports and entertainment arena with the same name in New York City, said the data of more than 131,000 customers was accessed by hackers who hacked the Oracle eBusiness Suite in 2025.

 

The sports and entertainment company said in a data breach notification shared with U.S. regulators that it discovered in November that the data of some of its customers was impacted after hackers exploited a zero-day vulnerability in the Oracle eBusiness Suite in August 2025 to access data related to more than 100 companies.

 

MSG said it had previously engaged a third-party vendor to host and manage the Oracle eBusiness Suite to support workforce and financial operations. After the vendor learned about the cyber security incident affecting Oracle EBS, it began an investigation with help from a cyber forensic firm and determined that data associated with MSG had been accessed during the incident.

 

"Madison Square Garden reviewed the files and in December 2025, determined that a file containing the names and Social Security numbers of 11 Maine residents was involved. The files were part of business records related to hiring or payments made to individuals," the company said in a notification shared with the Attorney-General of Maine.

 

According to analysis by UpGuard, the data security incident involving Oracle EBS in August impacted a total of 131,070 individuals who shared their information with Madison Square Garden Corp. The incident involved the Clop ransomware group accessing data stored in the application between August 10, 2025, and October 21, 2025 and stealing names, social security numbers and other information. Oracle discovered the incident on December 16, 2025. 

 

The list of affected organisations included Oracle Corporation, Broadcom, Canon, Michelin, Mazda Motor, Estee Lauder Companies, Humana Inc., MAS Holdings, Abbott Laboratories, Bechtel, Enovis Corporation, Elkay Manufacturing, the University of Phoenix, Tulane University, and Greater Cleveland Regional Transit Authority.

 

The cyber security incident also affected the likes of GlobalLogic (Hitachi Group), Cox Enterprises, The Washington Post, Allianz UK, Sato Corporation, Envoy Air, and NHS England.

 

The Clop ransomware group reportedly exploited a zero-day vulnerability in Oracle EBS, assigned CVE-2025-61882, that allowed the threat group to send specially crafted HTTP requests to the affected component resulting in full system compromise. The vulnerability affected organisations using Oracle E-Business Suite versions 12.2.3 to 12.2.14.