Madison Square Garden confirmed a data breach tied to the 2025 Oracle E-Business Suite hacking campaign.Madison Square Garden (MSG) has confirmed it was affected by a data breach linked to the 2025 cybercrime campaign targeting Oracle’s E-Business Suite (EBS) customers.Madison Square Garden (MSG) is a world-famous multi-purpose indoor arena located in New York City, USA. It hosts sports events, concerts, and entertainment shows. MSG is home to the New York Knicks (NBA) and New York Rangers (NHL) and is renowned for its history, iconic location, and large-scale live events.The incident, disclosed months after the initial attacks, places the company among numerous organizations compromised in the large-scale hacking operation exploiting Oracle EBS environments.In the Oracle EBS hacking campaign, the Cl0p ransomware group exploited zero-day flaws to access data from over 100 organizations, including MSG, in November 2025. MSG refused to pay the ransom, then the extortion group leaked more than 210GB of the company’s archived files, exposing sensitive information.“The Oracle eBusiness Suite, hosted and managed for us by a vendor, is used for certain workforce and financial operations. Oracle notified its customers that a previously undisclosed condition in the application had been exploited by an unauthorized person to gain access to data from the application. There are reports that this occurred at over 100 companies.” reads the data breach notification letter sent to the Maine Attorney General’s Office. “Our vendor began an investigation, and a forensic firm was also engaged. The investigation determined in late November 2025 that an unauthorized person gained access to some data from the application in August 2025. What Information Was Involved? We reviewed the files, which were part of business records related to hiring or payments made to individuals, and in December 2025, determined that a file containing your name and Social Security number was involved.” In October 2025, Oracle released an emergency patch to address a critical vulnerability, tracked as CVE-2025-61882 (CVSS 9.8) in its E-Business Suite.The flaw was exploited by the Cl0p ransomware group in data theft attacks. Unauthenticated remote attackers can exploit the flaw to take control of the Oracle Concurrent Processing component.Madison Square Garden alerted law enforcement and began notifying affected individuals after a third-party vendor confirmed that hackers had stolen personal data from its Oracle EBS system in August 2025.MSG is offering affected individuals a complimentary one-year credit monitoring, report, and score through Cyberscout, a TransUnion company, to help detect misuse of personal information and provide identity theft protection. Instructions to activate the service and additional recommended steps are provided in the following pages.“We confirmed that our vendor successfully implemented measures recommended by Oracle for the application to prevent a recurrence. We also notified law enforcement.” concludes the letter.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, MSG)