-
Singapore’s Personal Data Protection Commission (PDPC) fined Marina Bay Sands (MBS) following a recent data breach of personal information of over 665,000 customers.
-
According to AsiaOne, the PDPC stated that the October 2023 hack involved an illicit access and exfiltration of customer biodata, such as names and other credentials of MBS patrons.
-
The agency explained that the act was due to MBS’s “negligent contravention” of its Protection Obligation under the Personal Data Protection Act (PDPA).
The Personal Data Protection Commission (PDPC) has fined Marina Bay Sands (MBS) $240,000. According to ChannelNewsAsia, this penalty came after a critical data breach that resulted in the exposure of personal credentials of over 665,495 customers in 2023.
The agency stated that the attack happened because of errors during a large-scale software migration exercise. A prominent security gap went unnoticed for half a year, enabling anonymous hackers to illegally access customer data before listing the credentials for sale on the dark web.
The fine is the second-largest amount the PDPC has given any legal entity, following its $750,000 fine on Integrated Health Information Systems (IHiS). The IHiS fine was due to the organization’s error in protecting patient data, and that led to Singapore’s worst data breach in 2018.
How the MBS Hack Occurred
Investigations revealed that the hack occurred due to MBS’s negligence, stating that the organization didn’t take reasonable security measures during a mainstream software transition in March 2023.
According to the report, the compromised data comprised MBS’s LifeStyle rewards program patrons, such as full names, phone numbers, email addresses, membership tier and number, and country of residence.
Also, the membership data from the organization’s casino rewards program was reportedly affected.
The PDPC stated it is important to confirm compliance with security policies, such as data access rights, when transitioning from old software to a new one.
As per an advisory posted by the Cyber Security Agency of Singapore (CSA) in October 2022 noting that an API enables service communications between multiple apps. They perform a key role, as they offer flexibility by simplifying software administration, design, and use.
But, APIs are also among the most commonly exploited components of a system and therefore need to be protected against cyber attacks.
Penalty Minimized Following Admission
Notably, PDPC reportedly reduced the penalty because MBS voluntarily admitted liability and promptly acted to restore its security protocols after discovering the attack. Since then, the Singaporean resort has strengthened testing measures for system migrations and extra oversight processes for key security controls.
PDPC stated that securing “personal data is essential to sustaining trust,” and also warned that law enforcement will take necessary actions once legal entities do not meet legal requirements.
The federal agency also stated that MBS had depended on a single worker to manually compile the list of Application Programming Interface (API) configurations for the transfer. The resort didn’t use any secondary verification, despite obvious risks.
However, the commission emphasized that MBS, given its vast resources and strong presence in Singapore, should have implemented stricter data protection measures. The resort’s $4.2 billion (€3.9 billion) net revenue in 2024 highlighted the regulator’s stance that these security lapses were preventable.
