Data Breach at Madison Square Garden.


madison-square-gardenIt was revealed recently that the Madison Square Garden Company (MSGC) has suffered a data breach at five of its venues.

In a statement, the company wrote that it has notified customers that an investigation found “external unauthorized access to MSG’s payment processing system” at Madison Square Garden, the Theatre at Madison Square Garden, Radio City Music Hall, Beacon Theatre, and the Chicago Theatre in the past year.

The data breach appears to have originated through compromised ‘swipe card’ machines, the older version of PED (Pin Entry Devices)  – as the use of ‘Chip and Pin’ is still not widespread in the United States.

According to the MSGC statement “Data contained in the magnetic stripe on the back of payment cards swiped in person to purchase merchandise and food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater between November 9, 2015 and October 24, 2016 may have been affected, including credit card numbers, cardholder names, expiration dates and internal verification codes. Not all cards used during this time frame were affected. This incident did not involve cards used on MSG websites, at the venues’ Box Offices, or on Ticketmaster.

That’s nearly a year before the compromise was detected, and during that period those venues hosted hundreds of  concerts and sporting events.

Madison Square Garden alone held three Kanye West ‘events’, six sell-out concerts by Adele, two Radiohead concerts, and a long term residency by Billy Joel.

And every card used to purchase merchandise, hot dogs or popcorn at those events might be compromised.

It’s easy, here in Europe to feel smug, given the reduction in ‘card present’ data fraud that followed up the introduction of Chip & Pin (EMV) technology.

But there’s no room for complacency; merchants should remain vigilant to ensure that their PED devices haven’t been tampered with.

The UK Card Association has published a comprehensive guidance note for Point of Sale (PoS) devices here.