Marina Bay Sands fined S$315,000 for 2023 data breach
The PDPC notes the failure to take reasonable security measures during a software migration exercise, among other faults
[SINGAPORE] The Personal Data Protection Commission (PDPC) has fined Marina Bay Sands (MBS) S$315,000 for a data breach.
About 665,000 MBS patrons had their personal data illegally accessed and exfiltrated by one or more unknown threat actors in October 2023. The affected data, which included names and contact details that identified the patrons, was later found offered for sale on the dark web.
MBS “failed to take reasonable security measures” during a large-scale software migration exercise seven months before the breach, said PDPC on Tuesday (Oct 28).
“MBS’ failure to put in place proper processes, for something as critical as security policy, was a negligent contravention of the Protection Obligation,” it added.
“As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons’ personal data.”
An identifier affecting the Art Science Friends webpage was omitted during the migration, which enabled one or more malicious threat actors to access and extract its patrons’ personal data.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
PDPC found that MBS had relied on a single employee to manually compile a list of application programming interface configurations into the new software. It also had not implemented a second layer of checks.
The integrated resort then failed to discover and correct the omission for six months, leaving its’ patrons personal data unprotected.
PDPC added that the S$315,000 penalty factored in the scale of the data breach, following a 2022 increase of the maximum financial penalty for large organisations with annual Singapore turnovers of more than S$10 million. The change paved the way for penalties of up to 10 per cent of their annual turnovers to be imposed.
The commission also took into consideration MBS’ “voluntary admission of liability”, as well as its implementation of “immediate remediation measures”. These included the reactivation of security measures for the website on the same day.
In 2023, a few weeks after the breach, MBS chief operating officer Paul Town said that there had been no evidence then that the unauthorised third party had misused the data to “cause harm” to the affected patrons.
Copyright SPH Media. All rights reserved.
