The venues host hundreds of thousands of people annually.
The venues host hundreds of thousands of people annually.

Madison Square Garden Company (MSG) reported payment card information was stolen from potentially hundreds of thousands of customers who attended shows or sporting events at the organization's five major venues during the last year.

MSG reported it had been told by several financial institutions that a pattern of fraudulent activity had been spotted taking place in its point of sale (POS) system and a subsequent investigation by MSG and an outside security firm discovered unauthorized personnel had been accessing POS data from Nov. 9, 2015 to Oct. 24, 2016. The food and merchandise retail POS systems affected were located at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater. Information involved included, credit card numbers, cardholder names, expiration dates and internal verification codes, but MSG said not all cards used during this period were affected.

“Findings from the investigation show external unauthorized access to MSG's payment processing system and the installation of a program that looked for payment card data as that data was being routed through the system for authorization,” MSG said in a written statement.

This attack is reminiscent of similar data breaches which hit retailers several years ago, but have recently fallen out favor as cybercriminals switched over to using ransomware and targeting other types of large organizations.

"Madison Square Garden's breach may be common in that we've seen it before, but it's not common in that we haven't seen much of it lately. In fact this breach bears a strong resemblance to the high-profile POS RAM scraping hacks we saw so much of in 2014 (Target, Home Depot, Neiman Marcus),” Casey Ellis, CEO and founder of Bugcrowd, told SC Media in an email.

MSG said the malware has been removed from its system and that the company continues to work with an outside security firm to mitigate the damage.

The venues impacted host the NHL Rangers, NBA Knicks, Radio City Music Hall Rockettes and top-flight musical acts that attract hundreds of thousands of visitors per year. MSG has not released any figures on how many people were impacted nor what type of malware was involved.

“It's critical to properly segment these networks, actively monitor them for breach indicators, and always assume that these systems have been breached,” Richard Henderson, global security strategist at Absolute Software, said to SC Media in an email.