Marina Bay Sands fined over major 2023 data breach

Singapore’s data protection watchdog ruled that the casino resort failed to take “reasonable security measures”.

Singapore.- The integrated resort Marina Bay Sands (MBS) has been fined SGD 315,000 (US$243,000) by the Personal Data Protection Commission (PDPC) for a 2023 data breach that compromised the personal information of more than 665,000 customers. The incident, discovered in October 2023, involved unauthorised access by unknown actors who extracted names, contact details and other personal identifiers from the customer database.

The breach affected members of MBS’s LifeStyle rewards programme, and the stolen data was later found for sale on the dark web. The company said its Sands Rewards Club casino data was not impacted.

According to the PDPC, the breach occurred during a large-scale software migration in March 2023, when a technical identifier was omitted. The error, stemming from a failure to properly configure APIs, left personal data unprotected for six months.

Investigators found that the migration process had been handled by a single employee without any secondary checks, which the regulator described as a “negligent contravention” of Singapore’s data protection laws. The fine, one of the largest imposed under Singapore’s updated data protection framework, accounted for the scale of the breach and the sensitivity of the information exposed. The PDPC noted MBS’s voluntary admission of liability and prompt remediation efforts, including the immediate reactivation of security measures once the breach was detected.

See also:

See also: Singapore police make arrests for alleged illegal gambling after Meta shares info

Singapore’s data protection watchdog ruled that the casino resort failed to take “reasonable security measures”. Singapore.- The integrated resort Marina Bay Sands (MBS) has been fined SGD 315,000 (US$243,000) by…