After more than fifty years wandering the basketball desert, the New York Knicks have finally won another NBA title. And New York City is still standing! Knicks fans this past week have known an unbounded, indescribable elation. They’re so happy, it might not even dampen their jubilation to think about the data breach at Madison Square Garden.
Controversial since its inception, the surveillance and facial recognition technology the Garden employs under owner James Dolan, will likely now come under further scrutiny, thanks to a new mega breach, and the class action lawsuit now filed in New York federal court.
Who else do we find at the source of this incident but ShinyHunters? This time they claim to have stolen over 42 GB of sensitive data from more than 26 million visitors to the Garden. Biometric data, facial recognition, credit card and Social Security numbers, millions of emails and street addresses: all have been collected over the years to create “threat assessment” profiles of patrons visiting the venue, often based on their perceived offense or insult to Dolan. (I’m sure we can all be relieved that Ben Stiller is classified as low risk) Some of the most notorious incidents in recent years involve Dolan ordering the removal of several lawyers from the Garden, solely due to their employment by firms that were involved in active litigation against parent company Madison Square Garden Entertainment (MSGE).
Past breaches of the Garden have already seen some of this data exposed. Now we even learn, through this breach, that they also gathered information to create dossiers on critics and activists of the company’s invasive data collection practices.
This, then, is the result. For an organization that shows a cavalier attitude to personal privacy, you would think MSGE would have the sense to keep its hoard of questionably obtained data more secure. Sports data on the whole has become wildly attractive to many industries…including cybercrime. And what could be more tempting than a place like the Garden and its readily compiled portfolios?
The plaintiffs in the lawsuit clearly agree, stating how MSGE “should have known that collecting facial recognition and other data through their sprawling surveillance machine would attract cyberattacks and should have taken enhanced security measures to protect that data.”
Unfortunately, insecurity from the top down has led to insecurity for the entire enterprise of data security. What awaited bad actors within MSG’s networks was a massive feast they couldn’t turn down. Failure to encrypt or otherwise protect such a valuable resource, especially when it was gathered in the face of very public censure, is unacceptable for the vaunted “world’s most famous arena.” With any luck this current spotlight will finally bring about some change in how the Garden treats its customers.