Hackers compromised five different locations of the Madison Square Garden Company: Madison Square Garden itself, The Theater at MSG, Radio City Music Hall, and Beacon Theater all in New York plus the Chicago Theater in Illinois.
At each of those locations, they installed a program that captured payment information data that was routed through their systems such as credit card numbers, cardholder names, expiration dates, etc.
The program even stole the internal verification code from the card’s magnetic stripe.
It’s unknown at this time how many credit card numbers were stolen.
However, since the hack was ongoing for almost a year, starting in November 2015 and continuing to October 2016, there’s a good chance the number is significant.
There’s a silver lining in that the breach did not extend to the Madison Square Garden websites, box offices, or 3rd party ticket sellers.
Here’s what they’re not talking about:
In order to install the program that captured the credit card information, hackers first had to gain access to the networks at these locations. That means that hackers first broke into the Madison Square Garden network.
It is also possible that this was an inside job, where someone on the inside (MSG employee or contractor) with access to these systems installed the program to capture credit card data.
Either way, someone installed the program.
But one has to question, what else did they do?
It’s not good for them to be inside the network too long or to do anything that brings attention to the breach for fear of being found out. So it’s likely they limited their time inside the network to as little as they could.
But it’s also possible that they had the time to download or search through files looking for passwords, employee data, credit card information, and other sensitive data. If it was an inside job, they could have had plenty of time to search through files like this.
These other forms of data breach might be a lot harder to detect, especially since the initial breach was over a year ago.
The Madison Square Garden Company is working with law enforcement and computer security help to recover from the breach and tighten their security to ensure this doesn’t happen again.
However, who knows if the hackers left any kind of “sleeper agent” software designed to activate in the future and re-open a back door to let them back in?
I hope MSG is able to recover fully and get solid security in place so there isn’t a relapse in the future.
And to all those customers who had their credit card data stolen, let’s hope the thieves haven’t been able to cause any harm before the cards can be replaced.
– Weston Henry
What obligation do you feel Madison Square Garden has to those people who had their credit card numbers stolen?
What would you do if you found out an attack like this had been going on in your business?