Marina Bay Sands fined S$315,000 for customer data breach

Marina Bay Sands in Singapore has been fined S$315,000 for breaching the Personal Data Protection Act (PDPA).

The fine relates to an incident in October 2023, when the resort suffered from a cybersecurity incident involving unauthorised third party access to the data of over 665,000 non-casino rewards programme members.

The data included name, telephone number, country of residence, membership number and rewards programme tier.

Singapore’s Personal Data Protection Commission (PDPC) said that the accessed data was later found for sale on the dark web and could be exploited in phishing scams or identity theft.

The data breach occurred during a software migration, which, according to the PDPC, the operator left to a single employee. That person manually compiled the list of API configurations, minus second-layer checks. Due to a lack of checks, an unknown party was able to access and exfiltrate the data illegally.

The PDPC concluded that Marina Bay Sands (MBS) ignored the clear risks associated with such a large migration.

“As a large enterprise with significant turnover in Singapore, MBS had the required resources to protect its patrons,” said the Commission. “MBS’ failure to put in place proper processes for something as critical as security policy was a negligent contravention of the Protection Obligation”.

The penalty was determined in accordance with the revised framework introduced by the Personal Data Protection (Amendment) Bill 2021, which sets the maximum financial penalty for organisations with S$10 million-plus in annual turnover to 10 per cent of turnover.