MBS fined S$315,000 under PDPA for data breach of 665,495 patrons' personal details

Marina Bay Sands Pte Ltd (MBS) has been handed a financial penalty of S$315,000 by the Personal Data Protection Commission (PDPC), over a 2023 data breach involving the personal data of 665,495 patrons.

Their data ended up for sale on the dark web, including names and contact details that could be used to identify MBS patrons.

The penalty was announced in a press release by the PDPC on Oct. 28.

Data sold on dark web

In October 2023, 665,495 MBS patrons had their personal data illegally accessed and exfiltrated by unknown threat actor(s), PDPC said.

The affected data included names and contact details that identified MBS patrons.

These were later found for sale on the dark web and can be further exploited in phishing scams or identity theft.

The breach occurred during a large-scale software migration exercise in Mar. 2023.

MBS admitted to breaching its protection obligation when it failed to take reasonable security measures to protect the personal data in its possession.

Relied on one person during data migration exercise

Explaining how the breach happened, PDPC said that when migrating from old software to new, all applications accessible via the Application Programming Interface (API) and its identifiers must be duly migrated.

API is a set of rules or protocols that enable software applications to communicate with each other to exchange data, features and functionality.

API identifiers are unique keys used to authenticate software and systems attempting to access other software or systems.

In MBS' case, one of the identifiers affecting the Art Science Friends webpage was omitted during the migration.

This allowed malicious threat actor(s) to access and exfiltrate its patrons’ personal data.

"Despite the clear risks involved in such a migration exercise, PDPC found that MBS had relied on a single employee to manually compile a list of API configurations into the new software, and without implementing second layer checks," PDPC pointed out.

Undetected for six months

The omission was undetected for six months, during which patrons' personal data was unprotected.

As such, MBS' failure to put in place proper processes "for something as a critical as security policy" was a "negligent" contravention of the protection obligation.

"As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons’ personal data," PDPC said.

MBS was fined under the Personal Data Protection Act (PDPA) for failing to meet its protection obligation.

The protection obligation prescribed under the PDPA requires an organisation to make reasonable security arrangements to protect personal data in its possession or under its control.

In deciding on the penalty, PDPC took into account MBS' voluntary admission of liability and its implementation of immediate remediation measures, including reactivating security measures for the website on the same day.

Top image via Marina Bay Sands