The Madison Square Garden company has notified customers of a breach that took place on its payment processing systems, the perpetrators of which gained access to customer data including names, credit card numbers, and security codes.
Adding to the misfortune of the breach is the fact that many of these customers already suffer the indignity of being Knicks fans. MSG did not disclose the number of compromised cards.
From the notice:
Findings from the investigation show external unauthorized access to MSG’s payment processing system and the installation of a program that looked for payment card data as that data was being routed through the system for authorization. Data contained in the magnetic stripe on the back of payment cards swiped in person to purchase merchandise and food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater between November 9, 2015 and October 24, 2016 may have been affected, including credit card numbers, cardholder names, expiration dates and internal verification codes.
That is–all of the data necessary to clone a card was obtained in the breach.
According to the company, purchases made via MSG websites or sites such as Ticketmaster were left secure, because the breach is being largely attributed to the vulnerabilities of the magnetic stripe on the back of plastic credit cards when used at the point of sale.
The liability for magstripe transactions involving chip-equipped cards is on the merchant, rather than the bank, but as U.S. customers can attest, many merchants still ask for a swipe rather than a dip. The dip can be annoying (and time-consuming) but these days, customers are used to it, and may even know it’s safer.
Data released by both Mastercard and Visa earlier this year reflects positively on the rise of EMV, with over 88% of Mastercard consumer credit cards coming equipped with a chip; Visa data shows that about 55% of credit cards and about 43% of debit card are now chip-enabled.
However, chip cards still come equipped with the magnetic stripe, which means the cards are only secure if merchants — or consumers — actually use the chip for transactions.