Visitors to four of its New York venues and one Chicago theater may be affected.
The Madison Square Garden Company this week disclosed a massive credit card breach at four of its New York venues.
Payment cards used to purchase merchandise, food, and drinks between Nov. 9, 2015 and Oct. 24, 2016 at Madison Square Garden, the Theater at MSG, Radio City Music Hall, or Beacon Theater—as well as Chicago Theater in Illinois—may have been affected.
That means, for example, anyone who picked out a Billy Joel T-shirt or ordered popcorn and a beer during the Rockettes Christmas Spectacular could be a victim of identity theft.
“Findings from the investigation show external unauthorized access to MSG’s payment processing system and the installation of a program that looked for payment card data as that data was being routed through the system for authorization,” the Madison Square Garden Company said in a customer update.
The hack was designed to steal details like card number and expiration date, cardholder name, and the internal verification code from the magnetic strip.
“MSG has stopped this incident, and we continue to work with the computer security firms to further strengthen the security of our systems to help prevent this from happening again,” according to the firm, which is also cooperating with law enforcement.
The breach did not involve cards used on MSG websites, at the venues’ box offices, or via Ticketmaster.
The Madison Square Garden Company, founded in 2010, owns several operating entities, including the famed Manhattan amphitheater of the same name.
Considered the fourth-busiest music stadium in the world, The Garden and its sister sites are prime targets for cyberattacks.
“MSG values the relationship we have with our customers and understands the importance of protecting personal information,” the company said. “We regret any inconvenience this may have caused.”