Millions of sports fans and entertainment goers have likely been targeted by hackers who hit several properties owned by the Madison Square Garden Company (MSG). The firm acknowledged that its payment systems were infected by a malware created to harvest customers' credit card details. The malware was believed to have been operating for a year, allowing hackers to pilfer sensitive financial and personal information.
MSG notified its customers of the breach on 22 November, adding that the attack exposed customer data held on the back of magnetic strips on credit cards. Sensitive information such as customers' names, card numbers, expiration dates and verification codes were also exposed.
The malware targeted cards used to purchase food and merchandise on several MSG properties between 9 November, 2015 and 24 October, 2016. The properties affected by the attack include Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater and Chicago Theater.
MSG said it was informed about suspicious transaction patterns by the card-issuing bank, which prompted the firm to launch an investigation.
The firm said: "Findings from the investigation show external unauthorised access to MSG's payment processing system and the installation of a program that looked for payment card data as that data was being routed through the system for authorisation."
MSG has not disclosed further details of the cyberattack. It is still unclear how many people were affected by the malware. The identity and location of the hacker/hackers responsible for mounting the attack are also not known.
The firm stressed: "Not all cards used during this time frame were affected. This incident did not involve cards used on MSG websites, at the venues' Box Offices, or on Ticketmaster." MSG also said that it has "stopped this incident" and alerted law enforcement about the attack. In efforts to assure its customers, the firm stated that it will continue to collaborate with security firms to strengthen its security to avoid such breaches in the future.
The year 2016 has seen a spate of cyberattacks targeting a range of high-profile firms, which have resulted in hackers stealing sensitive customer card data. Massive attacks targeting point of sale (PoS) systems, such as the Oracle data breach and the Hyatt malware attack have highlighted the vulnerability of PoS systems and the need for advanced security measures.