Back

665,000 MBS members data leak: Govt to investigate if there was 'significant harm'

Two affected members have reached out to the Personal Data Protection Commission (PDPC).

Khine Zin Htet | November 22, 2023, 04:27 PM

Events

Telegram

Whatsapp

On Nov. 7, 2023, MBS announced a breach of the personal data of 665,000 Marina Bay Sands (MBS) LifeStyle reward members by an "unknown third party" on Oct. 19 and 20, 2023.

Following that, the government addressed the data breach during a parliamentary sitting held on Nov. 22.

Guidelines for data breaches under PDPA

Member of Parliament (MP) Hany Soh asked if the incident was reported to relevant authorities and, if so, when it was reported. She also asked for the reason for the three-week delay in notifying affected members of the data breach.

Minister for Communications and Information Josephine Teo addressed the question, explaining there is a guide under the Personal Data Protection Act for organisations to follow in managing and notifying data breaches.

She said the guide sets up clear timelines and requirements for organisations to comply with.

MBS discovered the data breach on Oct. 20 and accordingly met the timeframe set out in the guide by notifying the Personal Data Protection Commission (PDPC) on Oct. 24.

On why notifications are not required to be made immediately, Teo explained that there are four things that organisations need to undertake following a data breach.

  1. Immediately seek to contain the breach.

  2. Assess the degree to which the data breach has resulted in loss of data.

  3. Assess whether the breach falls within the requirements for notification, and if so, make the report.

  4. Evaluate their containment efforts to ensure they are secured.

Investigations ongoing

As the priority is on containment and assessment, Teo said that the PDPC gives the organisations "a little bit of time" before they make the notification report.

Regarding the MBS data breach, she added that PDPC is conducting investigations and will provide its findings to the public in due course.

"It will ascertain whether there was significant harm to affected individuals and, correspondingly, whether affected individuals were notified in a timely manner," she said.

Two affected members reached out to PDPC

Soh posed a supplementary question on whether affected members have been given further assistance following the breach.

Teo responded that two affected members have reached out to the PDPC regarding the breach and have asked for PDPC to hold MBS accountable for the breach.

She noted that PDPC intends to do so.

Teo also said that when MBS notified members of the breach, they had clarified the types of personal data that were revealed, which included the name, contact information, country of residence, and membership number, as well as their tiers.

It further provided advice to the affected members on how they could safeguard their accounts with MBS as well as other kinds of personal information, she said.

Imposing further obligations to organisations that possess large volumes of personal data

On whether organisations that could be in possession of large volumes of data should be given enhancements to their obligations during incidents of data breach, Teo highlighted that a higher standard of personal data protection is already required for these organisations.

This includes organisations that hold large quantities of personal data or data that might be more sensitive, such as insurance, medical and financial data.

In such cases, organisations are required to implement enhanced data protection practices, as stipulated in PDPC's guide to data protection practices for information and communications technology (ICT) systems.

In addition, the PDPC has issued an advisory guideline on enforcement of data protection provisions that makes clear that failure to put in place adequate safeguards for large volumes of sensitive personal data can be taken as an aggravating factor in calculating the level of penalties to be imposed on an organisation, she said.

@mothershipsg Minister for Communications and Information Josephine Teo said that the Personal Data Protection Commission (PDPC) will provide its findings to the public in due course. #sgnews #sgparliament #josephineteo #mbs ♬ original sound - Mothership

Related story

Top photo from Unsplash

M'sian helicopter crash that left 10 dead was on 3rd practice run for parade: Defence minister

All 10 crew members were aged below 40.

April 24, 2024, 04:25 PM

Fatal 6-vehicle Tampines accident: Male Saab driver, 42, arrested after discharge from hospital

His driving licence has also been suspended with immediate effect.

April 24, 2024, 04:14 PM

M'sia to install QR code system at Johor land checkpoints, but S'pore passport holders can't use it yet

The pilot initiative starts in June 2024 for Malaysia factory workers.

April 24, 2024, 03:58 PM

i Light S'pore returns with sustainability theme from May 31 to Jun. 23, 2024

Gorgeous.

April 24, 2024, 03:33 PM

Thai Hunks to open mookata joint in Tanglin on May 3, 2024

Muscular men serving.

April 24, 2024, 02:56 PM

Chinese woman, 31, falls off 75m cliff while posing for photo at Indonesian volcano crater edge

She allegedly tripped over the long skirt she wore, causing her to lose balance and fall off the cliff.

April 24, 2024, 02:31 PM

Male motorcyclist, 26, dies in morning PIE accident involving lorry

The motorcyclist was pronounced dead at the scene.

April 24, 2024, 02:10 PM

Indoor retro rollerskating rink, White Rabbit pop-up cafe & more at Clarke Quay till Jul. 31, 2024

It's a party.

April 24, 2024, 02:10 PM

Haidilao S'pore hiring private tutor for secondary school, offering S$4,500-S$6,700 per month

Had some people re-evaluating their career choices.

April 24, 2024, 01:40 PM

Man who posted Tampines accident video from Mercedes’ POV says he’s not the driver, makes police report for harassment

He is not the driver or the owner.

April 24, 2024, 01:27 PM

About | Advertise with us | Contact us | We Are Hiring | Privacy policy

Copyright © 2020 Mothership. All rights reserved.