Full Report
Plus: Gay bars in San Francisco using face scanners, France quits Palantir, Apple plans to change its private email and more.
Analysis Summary
# Incident Report: Alleged Data Breach of Madison Square Garden Entertainment
## Executive Summary
Hackers belonging to the "Velocity" group claim to have exfiltrated several terabytes of sensitive data from Madison Square Garden (MSG) Entertainment. The threat actors allegedly accessed internal systems, including backups and financial records, and have begun leaking samples online. While MSG has acknowledged an investigation into "limited" unauthorized access, the full extent of the compromise remains under assessment.
## Incident Details
- **Discovery Date:** Week of May 19, 2024 (Public claim)
- **Incident Date:** May 2024
- **Affected Organization:** Madison Square Garden Entertainment (MSG)
- **Sector:** Entertainment / Hospitality
- **Geography:** New York, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Early May 2024
- **Vector:** Unknown (Alleged exploitation of internal network)
- **Details:** Attackers claim to have gained access to internal file servers and management systems.
### Lateral Movement
- The threat group reportedly moved across the network to target backup servers and administrative departments (HR, Finance, Legal).
### Data Exfiltration/Impact
- **Volume:** Claimed several terabytes.
- **Data Types:** Internal emails, financial documents, employee information, and proprietary business data.
- **Leak:** Samples were posted on a dark web forum to pressure the organization.
### Detection & Response
- **Detection:** Discovered via the publication of stolen data on extortion sites.
- **Response:** MSG Entertainment stated they are working with external cybersecurity experts and law enforcement to investigate the claims.
## Attack Methodology
- **Initial Access:** Not explicitly detailed by the group, though they claim "easy access" to internal systems.
- **Persistence:** Likely achieved through compromised administrative credentials.
- **Privilege Escalation:** Targeted backup systems and administrative shares.
- **Lateral Movement:** Traversed from initial entry point to file servers and repositories containing sensitive corporate data.
- **Exfiltration:** Large-scale transfer of internal files to attacker-controlled infrastructure.
- **Impact:** Extortion and reputational damage through public data leaks.
## Impact Assessment
- **Financial:** Potential for significant regulatory fines and remediation costs; no specific ransom amount was disclosed in the report.
- **Data Breach:** High. Alleged theft of PII (Personally Identifiable Information) and sensitive corporate strategy documents.
- **Operational:** Minimal report of service interruption to venues, but high impact on internal administrative operations.
- **Reputational:** Significant public interest due to the high profile of Madison Square Garden.
## Indicators of Compromise
- **Network indicators:** Activity associated with the "Velocity" hacking group (hXXps[:]//velocity[.]leak-site).
- **Behavioral indicators:** Unusual volume of data transfer from internal backup servers to external IP addresses.
## Response Actions
- **Containment:** MSG stated they have taken steps to secure their environment.
- **Eradication:** Ongoing forensic investigation to identify and remove unauthorized access points.
- **Recovery:** Restoration of impacted systems and validation of backup integrity.
## Lessons Learned
- **Backup Security:** Storing backups on the same network or with the same credentials as primary systems allows attackers to target the last line of defense.
- **Third-Party Monitoring:** The incident highlights the need for continuous monitoring of dark web forums to detect leaks early.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure robust MFA is enforced across all remote access points and administrative accounts.
- **Network Segmenting:** Isolate critical financial and HR data from the broader corporate network.
- **Immutable Backups:** Implement off-line or immutable backups that cannot be modified or deleted by attackers even if they gain administrative access.
- **Endpoint Detection and Response (EDR):** Deploy EDR solutions to monitor for lateral movement and credential harvesting.