The Madison Square Garden Company has revealed that for a year malware has been capturing payment-card data from a system that processes payments for several of its properties.
MSG warned customers on Tuesday that the breach had exposed customer data held on the magnetic strip of credit cards, including card numbers, cardholder names, expiration dates, and internal verification codes.
Card-issuing banks recently notified MSG of suspicious transaction patterns, which led to an investigation by MSG and confirmation of the infection in the last week of October, it said. It's not clear why the company only revealed the incident now.
"Findings from the investigation show external unauthorized access to MSG's payment processing system and the installation of a program that looked for payment-card data, as that data was being routed through the system for authorization," MSG said.
Cards used to buy merchandise and food and drinks at several properties between November 9, 2015 and October 24, 2016 may have been affected.
Affected sites include Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater.
MSG did not reveal exactly how many cards have been affected by the breach. However, millions of people visit the locations to see shows and major sporting events.
The breach did not affect cards used on MSG websites or ticket sales.
MSG said it "stopped this incident" and assured customers it is safe to use their cards again at its venues. It has also provided information to law enforcement.
The card breach at MSG follows a number of similar payment-card breaches affecting large hotel chains and retailers, all due to malware targeting data from transactions at point-of-sale terminals. Some of these include Target, Trump Hotels, and Hyatt Hotels.
HEI Hotels & Resorts in August revealed that 20 US hotels operated, including Hyatt, Intercontinental, Marriott, and Starwood, had been compromised.
It said card data may have been stolen when customers bought food, drink, and other items at the hotels. The malware in that incident was active on payment-processing systems from March 1, 2015 to June 21, 2016, and designed to capture card data from transactions at point-of-sale machines.