430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Oracle EBS 2025 campaign impacts Madison Square Garden, sensitive data leaked

Madison Square Garden confirmed a data breach tied to the 2025 Oracle E-Business Suite hacking campaign. Madison Square Garden (MSG) has confirmed it was affected by a data breach linked to the 2025 cybercrime campaign targeting Oracle’s E-Business Suite (EBS) customers. Madison Square Garden (MSG) is a world-famous multi-purpose indoor arena located in New York […]

Madison Square Garden

Madison Square Garden confirmed a data breach tied to the 2025 Oracle E-Business Suite hacking campaign.

Madison Square Garden (MSG) has confirmed it was affected by a data breach linked to the 2025 cybercrime campaign targeting Oracle’s E-Business Suite (EBS) customers.

Madison Square Garden (MSG) is a world-famous multi-purpose indoor arena located in New York City, USA. It hosts sports events, concerts, and entertainment shows. MSG is home to the New York Knicks (NBA) and New York Rangers (NHL) and is renowned for its history, iconic location, and large-scale live events.

The incident, disclosed months after the initial attacks, places the company among numerous organizations compromised in the large-scale hacking operation exploiting Oracle EBS environments.

In the Oracle EBS hacking campaign, the Cl0p ransomware group exploited zero-day flaws to access data from over 100 organizations, including MSG, in November 2025. MSG refused to pay the ransom, then the extortion group leaked more than 210GB of the company’s archived files, exposing sensitive information.

“The Oracle eBusiness Suite, hosted and managed for us by a vendor, is used for certain workforce and financial operations. Oracle notified its customers that a previously undisclosed condition in the application had been exploited by an unauthorized person to gain access to data from the application. There are reports that this occurred at over 100 companies.” reads the data breach notification letter sent to the Maine Attorney General’s Office. “Our vendor began an investigation, and a forensic firm was also engaged. The investigation determined in late November 2025 that an unauthorized person gained access to some data from the application in August 2025. What Information Was Involved? We reviewed the files, which were part of business records related to hiring or payments made to individuals, and in December 2025, determined that a file containing your name and Social Security number was involved.”

In October 2025, Oracle released an emergency patch to address a critical vulnerability, tracked as CVE-2025-61882 (CVSS 9.8) in its E-Business Suite.

The flaw was exploited by the Cl0p ransomware group in data theft attacks. Unauthenticated remote attackers can exploit the flaw to take control of the Oracle Concurrent Processing component.

Madison Square Garden alerted law enforcement and began notifying affected individuals after a third-party vendor confirmed that hackers had stolen personal data from its Oracle EBS system in August 2025.

MSG is offering affected individuals a complimentary one-year credit monitoring, report, and score through Cyberscout, a TransUnion company, to help detect misuse of personal information and provide identity theft protection. Instructions to activate the service and additional recommended steps are provided in the following pages.

“We confirmed that our vendor successfully implemented measures recommended by Oracle for the application to prevent a recurrence. We also notified law enforcement.” concludes the letter.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MSG)