Marina Bay Sands found ‘negligent’ in data leak that affected 665,000 patrons

Singapore officials have slapped Marina Bay Sands with a S$315K penalty for the 2023 data breach that put customer info onto the dark web.

Marina Bay Sands (MBS) in Singapore must pay S$315,000 (US$243,300) for failing to protect patron data during a 2023 software migration. That left the personal information of 665,495 customers exposed for more than six months, from March to October 2023.

According to the Singapore Personal Data Protection Commission (PDPC), MBS made a single employee responsible for the transfer. That person manually compiled the list of API configurations, minus second-layer checks. Such carelessness allowed “unknown threat actor(s)” to illegally access and exfiltrate the data on 19-20 October of that year.

In handing down the penalty, PDPC officials said MBS ignored “clear risks” to complete the massive migration exercise. The leaked information was later offered for sale on the dark web. There, “it can be exploited in phishing scams or identity theft”, the PDPC said.

Data included names, emails, phone numbers

The info was poached from MBS’ LifeStyle rewards programme. It included names, email addresses, phone numbers, country of residence and membership number and tier. The property’s casino rewards programme was not accessed.

“As a large enterprise with significant turnover in Singapore, MBS had the required resources to protect their patrons,” the watchdog scolded. “MBS’ failure to put in place proper processes for something as critical as security policy was a negligent contravention of the Protection Obligation.”

In 2022, Singapore raised the maximum financial penalty for organisations with S$10 million-plus in annual turnover to 10% of that turnover, reports Channel News Asia. Last year, MBS posted net revenue of S$5.43 billion.

Marina Bay Sands’ mea culpa

Following the cyberleak, MBS assured customers it had “quickly launched an investigation” and engaged a leading external cybersecurity firm. The Las Vegas Sands organisation pledged to “further strengthen our systems and protect data”.

Chief Operating Officer Paul Town advised patrons to “monitor your account for suspicious activity, change your log-in pin regularly and be extra vigilant against phishing attempts”.