By Robert J Romano, JD, LLM, St. Johns’ University
Days after New York City celebrated their beloved Knicks capturing its first NBA Championship since 1973, the team’s ownership discovered that they may soon be playing in its own hotly contested competition, albeit in a different kind of court. On June 16, 2026, just three days after the Knickerbockers defeated the Spurs 94-90, a previous visitor to MSG, Carlos Avalos, filed a class action lawsuit against Madison Square Garden Entertainment Corporation (MSG) in the U.S. District Court for the Southern District of New York.[1]
Mr. Avalos’ 32 page, two-count complaint, alleging negligence and negligence per se, maintains that MSG failed in its duty of reasonable care when it came to safeguarding the personally identifiable and biometric information it collected as patrons bought tickets to, and entered the facility and that those failures exposed his and numerous others’ sensitive personal and biometric information to third parties.
Per his complaint, Avalos states that he attended a concert at MSG in September 2025, during which the venue’s entry systems captured his personally identifying information and biometric profile. He further claims that he believes his information was involved with the illegal hacking incident allegedly perpetrated by a group calling itself ‘ShinyHunters’[2] and claims that those hackers obtained, and later published, a significant amount of internal MSG data after a ransom demand was not paid. The leaked dataset, according to Avalos’ complaint, went beyond simple contact information and encompassed facial recognition records, background-check results, credit scores, and Social Security numbers, along with internal ‘threat assessment’ files that included information of up to 26 million consumers, including some celebrities.[3]
Avalos also discusses in detail MSG’s “tempestuous history” with data privacy, including the company’s use of facial-recognition screening despite years of public criticism and prior security failures. Specifically, the complaints revisits claims that MSG implemented a facial recognition system in 2018, while also engaging in various types of mass surveillance of visitors to the Arena and of the surrounding neighborhood including using members of Defendant’s security disguised as police officers to spy on local protesters.[4] He alleges that MSG’s security apparatus knows no bounds, compiling dossiers on individuals and screen-grabbing the law firm photos of over 1,200 lawyers who presented “threats” to Defendant by way of litigating cases against it to feed them into the Arena’s facial recognition and surveillance system to ban from the Arena.[5]
From a legal standpoint, the primary issue of this case won’t be whether MSG was negligent or not, that’s a factual dispute to be flushed out as the case continues during discovery. Instead, it will be to discern if Avalos has a concrete, personal stake in the outcome, or in other words, has Article III standing.[6] Article III standing is one of those constitutional doctrines that determines if a person has the right to file a lawsuit in federal court. Derived from the “Case and Controversies” requirement in Article III, Section 2 of the U.S. Constitution, it ensures that federal courts only decide real, active disputes rather than issuing abstract or advisory opinions. If a plaintiff lacks Article III standing, the federal court lacks subject-matter jurisdiction and the case will be dismissed.
Following the U.S. Supreme Court’s decisions in both the TransUnion v. Ramirez[7] and Clapper v. Amnesty International[8] cases, the bar was raised significantly for plaintiffs in that now they are required to produce concrete, “certainly impending” harm rather than relying on hypothetical risks or statutory violations alone. Together, Clapper and TransUnion reshaped federal courthouse access by narrowing what counts as “injury” under Article III. Clapper foreclosed speculative future-harm theories, shutting out plaintiffs who couldn’t prove surveillance was “certainly impending.” TransUnion extended this rigor to statutory claims, ruling that Congress cannot simply legislate standing into existence, concrete harm remains constitutionally required, even when a statute creates a private right of action. The combined effect: plaintiffs alleging privacy, surveillance, or informational injuries face a steep evidentiary burden, and class actions built on technical statutory violations face heightened scrutiny before reaching trial.
Complicating the matter, however, is that Avalos’s lawsuit is not the only action arising from this data breach. Within days of his filing, two parallel suits also name MSG as a defendant. Given the scale of the alleged breach, MSGE’s recent history of security incidents, and the unresolved biometric-privacy questions at the litigation’s core, this case is positioned to become a significant test of corporate liability for biometric data breaches. Its resolutions, whether through early dismissal on standing grounds, consolidated class settlement, or extended discovery into MSG’s security practices, will likely shape how venues nationwide approach facial-recognition deployment going forward.
It should be noted that sports facilities and venues are becoming higher-value cyber targets. In fact, Darktrace’s industry survey found 84% of sports-organization IT security professionals had experienced a cyber incident in the past year.[9] A ruling on whether biometric ‘threat assessment’ data triggers heightened duties of care could shape how every NBA/WNBA, NHL, and NFL venue using facial-recognition entry systems calibrates its retention and security practices going forward. All of which are a fitting irony for litigation that surfaced in the week the Knicks finally brought a championship home to the Garden.
[1] Carlos Avalos v Madison Square Garden Entertainment Corporation, Case 1:26-cv-05095 Document 1 Filed 06/16/26.
[2] ShinyHunters is believed to have been formed in about 2020 and has often engaged in cyber extortion. In May, the maker of Canvas, a software used by thousands of schools, said that it had reached a deal with the hackers to return stolen data and destroy any copies. The company did not say what it had given the hackers in exchange.
[3] Id. at page 1.
[4] Bobby Silverman and Noah Schactman, “Inside Madison Square Garden’s Surveillance Machine,” WIRED (ONLINE) (Apr. 23, 2026), at https://www.wired.com/video/watch/how-weexposed-the-shocking-secrets-of-madison-square-gardens-surveillance-machine-and-why-itmatters-to-everyone.
[5] Complaint at page 7.
[6] Article III, Section 2, Clause 1.
[7] TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021).
[8] Clapper v. Amnesty International USA, 568 U.S. 398 (2013).
[9] https://www.dataprivacyandsecurityinsider.com/2026/06/darktrace-report-highlights-cyber-threats-against-global-sporting-sector/
