Singapore’s Personal Data Protection Commission has fined Marina Bay Sands $315,000 for a data breach that exposed personal information of 665,495 patrons.
Unknown hackers broke into the integrated resort’s systems in October 2023 and stole customer data, The Straits Times reported.
What Happened
The hackers accessed the system on 19 Oct and 20 Oct 2023. Marina Bay Sands spotted the breach on 20 Oct 2023. The company informed the PDPC four days later on 24 Oct 2023.
The stolen data included names, email addresses, phone numbers, country of residence, membership numbers and tier levels from the LifeStyle rewards programme. Casino rewards programme membership data was not affected.
The information later appeared on the dark web for sale. The PDPC said criminals could use such data for phishing scams or identity theft.
How It Happened
The breach happened because of security failures during a software migration in March 2023—seven months before the actual theft. Marina Bay Sands didn’t take adequate security measures when moving from old software to new systems.
During the migration of Application Programming Interfaces and their identifiers, the company left out one identifier for the ArtScience Friends webpage. That mistake created a gap that let hackers in.
Marina Bay Sands assigned one employee to manually compile the list of API configurations. No one double-checked the work. The company didn’t catch the error for six months, leaving customer data exposed the entire time.
The Fine
The PDPC found Marina Bay Sands violated the Protection Obligation under the Personal Data Protection Act. The company admitted it failed to implement proper security protocols during the migration.
The $315,000 penalty is the second-highest the PDPC has ever issued. The highest was $750,000, which went to Integrated Health Information Systems after the 2018 SingHealth data breach that hit 1.5 million patients.
