MBS failed to implement adequate security measures during a software migration exercise in 2023, thus giving hackers a gateway to access and steal customers’ data. The data was then found to be sold on the dark web.

Image credit: Kua Chee Siong (The Straits Times)

Marina Bay Sands (MBS) has been fined S$315,000 (RM1.02 million) by Singapore’s data privacy watchdog after a 2023 data breach exposed the personal information of more than 665,000 customers.

Data leaked, sold on the dark web

In a statement on Tuesday (October 28), the Personal Data Protection Commission (PDPC) said the personal details of 665,495 MBS patrons were “illegally accessed and exfiltrated by unknown threat actors” in October 2023.

The stolen data was later discovered for sale on the dark web. MBS confirmed at the time that the breach involved members of its LifeStyle Rewards Programme, with compromised information including customers’ names, email addresses, phone numbers, countries of residence, and membership details such as tier and number.

The casino’s rewards programme data was not affected.

Security lapse during software migration caused data breach

According to PDPC, MBS violated the Protection Obligation under Singapore’s Personal Data Protection Act (PDPA) by failing to implement adequate security measures during a software migration exercise in March 2023.

The migration involved transferring applications and Application Programming Interfaces (APIs) to a new software system. APIs are key to allowing different apps to communicate but are also among the most vulnerable components to cyberattacks.

PDPC said a critical API identifier linked to the Art Science Friends webpage was omitted during the migration, giving hackers a gateway to access and steal customers’ data.

“It is necessary to ensure that security policies are applied when properly migrating from the old software to the new, including data access rights,” the commission stated.

Reliance on one staff member led to oversight

Despite the high risks, PDPC found that MBS had relied on a single employee to manually compile API configurations and did not conduct secondary checks.

The oversight went undetected for six months, leaving customers’ data exposed and vulnerable to misuse, including phishing scams and identity theft.

Penalty reflects breach scale and cooperation

PDPC said the S$315,000 penalty reflects the scale and severity of the breach, which affected more than half a million customers. The regulator also took into account MBS’s voluntary admission of liability and swift remedial actions, including reactivating website security measures on the same day the breach was detected.

Under amendments to the PDPA made in October 2022, large organisations with annual turnovers exceeding S$10 million can face fines of up to 10% of their annual revenue.

According to its 2024 annual report, MBS posted a net revenue of US$4.2 billion.

PDPC: Protecting consumer data builds trust

Reiterating its stance, PDPC said data protection remains essential to public trust.

“All organisations must adhere to PDPA obligations, and protecting the personal data of consumers is key to building trust,” the commission said.
“PDPC will take appropriate action against organisations that are found to have breached their obligations under PDPA.”

Source: CNA

Follow Wah Piang for more updates.

Follow our broadcast channels for instant updates!
WhatsApp: https://whatsapp.com/channel/0029VbBannY11ulOTi51bY2U
Telegram: https://t.me/wahpiangmedia