665,000 MBS members data leak: Govt to investigate if there was 'significant harm'

Two affected members have reached out to the Personal Data Protection Commission (PDPC).

Khine Zin Htet | November 22, 2023, 04:27 PM



On Nov. 7, 2023, MBS announced a breach of the personal data of 665,000 Marina Bay Sands (MBS) LifeStyle reward members by an "unknown third party" on Oct. 19 and 20, 2023.

Following that, the government addressed the data breach during a parliamentary sitting held on Nov. 22.

Guidelines for data breaches under PDPA

Member of Parliament (MP) Hany Soh asked if the incident was reported to relevant authorities and, if so, when it was reported. She also asked for the reason for the three-week delay in notifying affected members of the data breach.

Minister for Communications and Information Josephine Teo addressed the question, explaining there is a guide under the Personal Data Protection Act for organisations to follow in managing and notifying data breaches.

She said the guide sets up clear timelines and requirements for organisations to comply with.

MBS discovered the data breach on Oct. 20 and accordingly met the timeframe set out in the guide by notifying the Personal Data Protection Commission (PDPC) on Oct. 24.

On why notifications are not required to be made immediately, Teo explained that there are four things that organisations need to undertake following a data breach.

  1. Immediately seek to contain the breach.
  2. Assess the degree to which the data breach has resulted in loss of data.
  3. Assess whether the breach falls within the requirements for notification, and if so, make the report.
  4. Evaluate their containment efforts to ensure they are secured.

Investigations ongoing

As the priority is on containment and assessment, Teo said that the PDPC gives the organisations "a little bit of time" before they make the notification report.

Regarding the MBS data breach, she added that PDPC is conducting investigations and will provide its findings to the public in due course.

"It will ascertain whether there was significant harm to affected individuals and, correspondingly, whether affected individuals were notified in a timely manner," she said.

Two affected members reached out to PDPC

Soh posed a supplementary question on whether affected members have been given further assistance following the breach.

Teo responded that two affected members have reached out to the PDPC regarding the breach and have asked for PDPC to hold MBS accountable for the breach.

She noted that PDPC intends to do so.

Teo also said that when MBS notified members of the breach, they had clarified the types of personal data that were revealed, which included the name, contact information, country of residence, and membership number, as well as their tiers.

It further provided advice to the affected members on how they could safeguard their accounts with MBS as well as other kinds of personal information, she said.

Imposing further obligations to organisations that possess large volumes of personal data

On whether organisations that could be in possession of large volumes of data should be given enhancements to their obligations during incidents of data breach, Teo highlighted that a higher standard of personal data protection is already required for these organisations.

This includes organisations that hold large quantities of personal data or data that might be more sensitive, such as insurance, medical and financial data.

In such cases, organisations are required to implement enhanced data protection practices, as stipulated in PDPC's guide to data protection practices for information and communications technology (ICT) systems.

In addition, the PDPC has issued an advisory guideline on enforcement of data protection provisions that makes clear that failure to put in place adequate safeguards for large volumes of sensitive personal data can be taken as an aggravating factor in calculating the level of penalties to be imposed on an organisation, she said.

@mothershipsg Minister for Communications and Information Josephine Teo said that the Personal Data Protection Commission (PDPC) will provide its findings to the public in due course. #sgnews #sgparliament #josephineteo #mbs ♬ original sound - Mothership

Related story

Top photo from Unsplash