Marina Bay Sands has been slapped with a $315,000 penalty by Singapore’s Personal Data Protection Commission for a data breach that compromised the personal information of 665,495 patrons.​
The illegal data access occurred in October 2023, when unknown threat actors infiltrated the integrated resort’s systems and extracted customer information, reported The Straits Times.​
Breach Timeline and Discovery
The unauthorised access took place on 19 Oct and 20 Oct 2023. Marina Bay Sands discovered the security incident on 20 Oct 2023 and notified the PDPC on 24 Oct 2023.​
The compromised data included names, email addresses, phone numbers, country of residence, membership numbers and tier levels from the LifeStyle rewards programme. Casino rewards programme membership data remained unaffected.​
The stolen information later surfaced on the dark web, where it was offered for sale. The PDPC warned that such data leaks can be exploited in phishing scams or identity theft.​
Software Migration Failure
The breach stemmed from security lapses during a large-scale software migration exercise conducted in March 2023, seven months before the actual data theft. Marina Bay Sands failed to take reasonable security measures when transferring from old software to new systems.​
During the migration of Application Programming Interfaces and their identifiers, one identifier affecting the ArtScience Friends webpage was omitted. This oversight created a vulnerability that allowed malicious actors to access and extract patron data.​
Marina Bay Sands relied on a single employee to manually compile the list of API configurations without implementing second-layer checks. The company failed to discover and correct the omission for six months, leaving customer data unprotected throughout that period.​
Regulatory Action
The PDPC determined that Marina Bay Sands breached the Protection Obligation under the Personal Data Protection Act. The company admitted liability for failing to implement proper security protocols during the critical migration process.​
The $315,000 fine represents the second-highest amount ever issued by the PDPC, trailing only the $750,000 fine imposed on Integrated Health Information Systems for lapses that led to the 2018 SingHealth data breach affecting 1.5 million patients.​
Here’s the REAL reason why everyone is hanging plushies on their bags, simplified for you:
