Marina Bay Sands Pte Ltd, the operating entity of Singapore’s iconic Marina Bay Sands (MBS) integrated resort, has been fined SG$315,000 (US$243,400) by the Personal Data Protection Commission (PDCP) for a 2023 data breach that saw 665,495 rewards program members affected.
The incident related to the non-casino Sands Lifestyle Rewards program rather than the Sands Rewards Club, MBS said at the time.
The PDCP said in a statement that MBS admitted to breaching its Protection Obligation under the Personal Data Protection Act by failing to take reasonable security measures to protect the personal data in its possession. The incident occurred during a large-scale software migration exercise in March 2023.
“It was necessary for MBS to ensure that security policies (who could access the data) were applied when migrating from the old software to the new,” the PDCP said. “This meant that all related applications accessed through its Application Programming Interfaces (APIs) and respective identifiers needed to be duly covered before and after the migration.
“However, one of the identifiers affecting the Art Science Friends webpage was omitted during the migration. As the webpage no longer had proper security policies in place, this allowed malicious threat actor(s) to access and exfiltrate its patrons’ personal data.”
The Commission said that despite the clear risks involved, MBS had made a single employee responsible for manually compiling the list of API configurations without due second layer checks.
The company had also failed to discover and correct the omission for six months, leaving its patrons’ personal data unprotected.
“MBS’s failure to put in place proper processes to ensure the due implementation of its security policies post-migration was a negligent contravention of the Protection Obligation. As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons’ personal data,” it stated.
The financial penalty imposed accounted for the scale of the data breach which exposed the personal data of more than half a million patrons without their consent, PDPC explained, adding that it took into account MBS’s voluntary admission of liability and its implementation of immediate remediation measures.
MBS was one of multiple large-scale IR operators impacted by cyberattacks around the same time, with other including US casino giants MGM Resorts and Caesars Entertainment.
RelatedPosts
