Marina Bay Sands fined $315,000 over 2023 data breach involving over 600k visitors
Sign up now: Get ST's newsletters delivered to your inbox
The company failed to protect personal data during a large-scale software migration exercise in 2023.
ST PHOTO: LIM YAOHUI
Follow topic:
SINGAPORE – Marina Bay Sands (MBS) has been hit with a $315,000 fine by the Personal Data Protection Commission (PDPC), two years after a data breach leaked the personal information of more than 600,000 visitors
The fine is the second-highest amount meted out by PDPC, after the $750,000 fine on Integrated Health Information Systems (IHiS) for lapses in securing patient data that resulted in the nation’s worst data breach in 2018.
Since October 2022, the maximum penalty that a company with an annual turnover of more than $10 million in Singapore can face for a data breach is 10 per cent of its turnover, or $1 million.
Previously, organisations that violated the Personal Data Protection Act (PDPA) would face a financial penalty of up to $1 million.
“Under the revised financial penalty framework, the penalty (on MBS) accounted for the scale of the data breach which exposed the personal data of more than half a million patrons without their consent,” said the commission on Oct 28, adding that the casino and hotel operator had admitted to breaching the protection obligation under the PDPA.
“PDPC also took into consideration MBS’ voluntary admission of liability, and its implementation of immediate remediation measures, including reactivating security measures for the website on the same day.”
The commission said the leaked data, which included names and contact details of visitors, was later found offered for sale on the Dark Web.
The breach occurred in October 2023, when 665,495 visitors to the resort had their data illegally accessed and extracted by unknown threat actors.
MBS had failed to take “reasonable security measures” to protect the personal data in its possession during a large-scale software migration exercise in March 2023, said the commission.
Security policies need to be applied when migrating from old software to the new, which includes all applications accessible via the Application Programming Interfaces (APIs) and respective identifiers.
However, one of the identifiers affecting the ArtScience Friends webpage was omitted during the migration, which eventually allowed the threat actor to access and extract personal data, said the commission.
MBS had relied on one employee to manually compile a list of API configurations and failed to implement additional checks despite the clear risks involved in such a migration exercise, said PDPC.
“(It) failed to discover and correct the omission for six months, leaving its patrons’ personal data unprotected.
“As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons’ personal data,” said the commission.
“Such data leaks can be further exploited in phishing scams or identity theft.”
MBS had recently set another record financial performance, with its earnings soaring 83 per cent to hit $965 million in the third quarter of 2025.
The fine imposed on IHiS came after a cyber attack on SingHealth in June 2018
SingHealth, as the owner of the patient database system, was fined $250,000.
