Â鶹

SINGAPORE: Marina Bay Sands (MBS) has been fined S$315,000 (US$243,300) by Singapore’s data privacy watchdog over a data breach two years ago that affected more than 665,000 customers.

In October 2023, 665,495 Marina Bay Sands patrons had their personal data "illegally accessed and exfiltrated by unknown threat actor(s)", the Personal Data Protection Commission (PDPC) said on Tuesday (Oct 28).

The leaked data was later found offered for sale on the dark web, according to PDPC.

MBS said in November 2023 that the breach involved the data of its LifeStyle rewards programme members, including names, email addresses, phone numbers, country of residence, as well as membership number and tier. 

It added investigations determined that an unknown third party had accessed the data and that membership data from MBS' casino rewards programme were believed to be unaffected.

The watchdog said on Tuesday that MBS had admitted to breaching the Protection Obligation under the Personal Data Protection Act (PDPA) when it failed to take reasonable security measures during a large-scale software migration exercise in March 2023.

The exercise involved migrating old software to new software. This included all applications that are accessible via the Application Programming Interfaces (APIs) and their respective identifiers, which had to be migrated accordingly.

According to an advisory published by the Cyber Security Agency of Singapore (CSA) in October 2022, an API facilitates service communications between two or more apps and perform a vital role as they provide flexibility by simplifying software design, administration and use.

However, they are also the most commonly exposed component of a system and thus have to be secured against attacks. 

"It is necessary to ensure that security policies are applied when properly migrating from the old software to the new, including data access rights," said PDPC.

"In this case, one of the identifiers affecting the Art Science Friends webpage was omitted during the migration. This allowed malicious threat actor(s) to access and exfiltrate its patrons’ personal data."

Such data leaks can be further exploited in phishing scams or identity theft, it added.

Despite the "clear risks" involved in such a migration exercise, PDPC noted that MBS relied on a single employee to manually compile a list of API configurations into the new software and did not implement second-layer checks.

As a result, MBS failed to discover and correct the omission for six months, leaving the personal data of its customers unprotected.

"MBS' failure to put in place proper processes for something as critical as security policy was a negligent contravention of the Protection Obligation," said PDPC.

"As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons' personal data."

FINE ACCOUNTED FOR SCALE OF DATA BREACH

In October 2022, parliament raised the maximum financial penalty for large organisations with annual turnovers in Singapore of more than S$10 million, allowing penalties of up to 10 per cent of their annual turnovers.

MBS' net revenue in 2024 reached a new high of US$4.2 billion, according to its annual report.

The S$315,000 fine imposed on MBS accounted for the scale of the data breach, which exposed the personal data of more than half a million patrons without their consent, PDPC said.

The watchdog added that it took into consideration MBS’ voluntary admission of liability and its implementation of immediate remediation measures, including reactivating security measures for the website on the same day.

"All organisations must adhere to the PDPA obligations, and protecting the personal data of consumers is key to building trust," said PDPC.

"PDPC will take appropriate action against organisations that are found to have breached their obligations under PDPA."