Data leak hits 665,000 MBS rewards programme members
Sign up now: Get ST's newsletters delivered to your inbox
Marina Bay Sands said it was first aware of the incident on Oct 20, and investigations showed that members’ personal data was accessed by an unknown third party.
ST PHOTO:KUA CHEE SIONG
SINGAPORE – The contact details and other personal information of some 665,000 members of a Marina Bay Sands (MBS) shoppers’ rewards programme were exposed in a data leak between Oct 19 and 20.
In an e-mail to Sands LifeStyle members on Tuesday, the integrated resort operator said it was first aware of the incident on Oct 20, and investigations showed that members’ personal data was accessed by an unknown third party.
In the e-mail, MBS chief operating officer Paul Town said: “Upon discovery of the incident, our teams immediately took action to resolve it. Investigations have since determined that an unknown third party accessed customer data of about 665,000 non-casino rewards programme members.
“Based on our investigation, we do not have evidence to date that the unauthorised third party has misused the data to cause harm to customers.”
He added: “We do not believe that membership data from our casino rewards programme, Sands Rewards Club, was affected.”
MBS has reported the incident to the authorities, he said.
It is working with an external cyber-security firm and has taken action to strengthen its systems, Mr Town added. He did not elaborate on the steps taken to beef up cyber-security measures. He urged members to monitor their accounts for any suspicious activity and to change their log-in credentials regularly, as well as to be vigilant against phishing attempts.
MBS told The Straits Times that the personal data leaked includes members’ names, e-mail addresses, phone numbers, country of residence, and their membership numbers and tiers.
Even though credit card numbers were not leaked, fraudsters can still use personal data such as names and e-mail addresses to personalise phishing campaigns or scams to make them look more authentic, said cyber-security firm Trend Micro Singapore’s country manager David Ng.
For instance, fraudsters may impersonate big retail names and create fake websites to trick shoppers into sharing their personal data.
F5 senior solutions architect Shahnawaz Backer said such data can be used to open unauthorised accounts in the victims’ names.
Research has shown that an individual’s personal information can be worth anywhere up to US$1,000 (S$1,400) or more on the Dark Web, he added.
Affected users should monitor their personal financial accounts for any unusual activities. They should change their passwords for related accounts and any other platforms where they have used the same login details, said Mr Backer.
In 2020, ShopBack’s customer database was breached and put up for sale online.
A data breach in October 2022 at Carousell also exposed the personal information of 1.95 million users. was being sold on the Dark Web and hacking forums.
