Marina Bay Sands (MBS) in Singapore has been found negligent for a data breach that compromised the personal information of 665,495 patrons, leading to a fine of S$315,000 (US$243,300). The breach occurred during a software migration between March and October 2023, during which patron data was improperly protected.
The Singapore Personal Data Protection Commission (PDPC) reported that MBS assigned a single employee to manage the transfer of data, who compiled the list of API configurations without adequate checks. This lack of oversight enabled unknown threat actors to access and extract data on October 19-20, 2023.
PDPC officials highlighted that MBS disregarded evident risks involved in the significant migration process. The breached data, which was later found on the dark web, could potentially be used in phishing scams or identity theft.
The information exposed included names, email addresses, phone numbers, country of residence, and membership details from MBS's LifeStyle rewards program, although data from the casino rewards program remained secure.
The regulator criticized MBS, emphasizing that the establishment, given its substantial turnover in Singapore, had the necessary resources to ensure patron data protection. They described the failure to implement proper security processes as a negligent breach of their Protection Obligation.
In 2022, Singapore increased the maximum penalty for organizations with annual revenues exceeding S$10 million to 10% of that revenue, according to Channel News Asia. In the previous year, MBS reported a net revenue of S$5.43 billion.
In response to the breach, MBS launched an investigation and engaged a prominent external cybersecurity firm. Chief Operating Officer Paul Town urged customers to monitor their accounts for unusual activity, change their login information regularly, and remain vigilant against phishing attempts.
