Marina Bay Sands, a Singapore-based casino resort and subsidiary of Las Vegas Sands Corp, suffered a data breach in March 2023 during a large-scale software migration. Due to a technical identifier omission in a webpage, security policies were improperly configured, allowing malicious actors to illegally access and exfiltrate the personal data of 665,495 patrons, including names and contact details. The breach went undetected for six months until October 2023, when the data was discovered for sale on the dark web.The Singapore Personal Data Protection Commission (PDPC) imposed a SGD 315,000 (USD 243,200) fine for failing to implement reasonable security measures, citing negligence in migration processes such as relying on a single employee without verification checks. While Marina Bay Sands admitted liability and reactivated security measures immediately upon discovery, the breach exposed over half a million customers' data, severely undermining trust. The incident highlights critical gaps in enterprise-level data protection during high-risk IT operations.
Source: https://www.ggrasia.com/marina-bay-sands-fined-us243k-over-2023-data-breach-involving-665000-clients
TPRM report: https://www.rankiteo.com/company/marina-bay-sands-pte-ltd
"id": "mar0932709102825",
"linkid": "marina-bay-sands-pte-ltd",
"type": "Breach",
"date": "3/2023",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': '665,495 patrons',
'industry': ['Hospitality', 'Gaming', 'Entertainment'],
'location': 'Singapore',
'name': 'Marina Bay Sands Pte Ltd',
'size': 'Large enterprise (subsidiary of Las Vegas '
'Sands Corp)',
'type': 'Casino Resort Operator'}],
'attack_vector': ['misconfigured security policies during software migration',
'technical identifier omission in webpage'],
'customer_advisories': ['Public disclosure of breach to affected patrons via '
'media statements'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '665,495',
'personally_identifiable_information': ['names',
'contact details'],
'sensitivity_of_data': 'Moderate (names, contact details)',
'type_of_data_compromised': ['personal data',
'loyalty programme membership '
'data']},
'date_detected': '2023-10-20',
'date_publicly_disclosed': '2023-11-00',
'description': 'The operator of the casino resort Marina Bay Sands in '
'Singapore experienced a data breach in March 2023 during a '
'large-scale software migration exercise. The breach involved '
'the unauthorized access and exfiltration of personal data '
'belonging to 665,495 patrons, including names and contact '
'details. The data was later found for sale on the dark web. '
'The incident was discovered in October 2023, and the company '
'was fined SGD315,000 (US$243,200) by Singapore’s Personal '
'Data Protection Commission (PDPC) for failing to implement '
'reasonable security measures during the migration.',
'impact': {'brand_reputation_impact': 'High (personal data of 665,495 patrons '
'exposed)',
'data_compromised': True,
'financial_loss': 'SGD315,000 (US$243,200) regulatory fine',
'identity_theft_risk': 'Moderate (names and contact details '
'exposed)',
'legal_liabilities': 'Fined SGD315,000 under Singapore’s Personal '
'Data Protection Act',
'systems_affected': ['loyalty programme membership database',
'webpage with omitted security identifier']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Misconfigured webpage lacking '
'security policies post-migration',
'high_value_targets': ['loyalty programme '
'membership database']},
'investigation_status': 'Completed (PDPC investigation concluded with fine '
'imposed)',
'lessons_learned': ['Large-scale software migrations require robust security '
'validation processes, including multi-layer checks.',
'Single-point accountability for critical security tasks '
'increases risk of human error.',
'Delayed detection of vulnerabilities (6 months in this '
'case) significantly exacerbates exposure risks.',
'Large enterprises must allocate proportional resources '
'to data protection, especially during high-risk '
'activities like migrations.'],
'motivation': ['financial gain (data sold on dark web)', 'opportunistic'],
'post_incident_analysis': {'corrective_actions': ['Reactivated security '
'measures for the affected '
'systems.',
'Voluntary admission of '
'liability and cooperation '
'with PDPC.',
'Review of software '
'migration and security '
'validation processes.'],
'root_causes': ['Human error during software '
'migration (omission of technical '
'identifier for webpage security '
'policies).',
'Inadequate validation processes '
'(single employee responsible for '
'manual compilation without '
'checks).',
'Delayed detection due to lack of '
'post-migration monitoring '
'(6-month gap between '
'vulnerability introduction and '
'discovery).',
'Failure to implement '
'organizational safeguards '
'proportional to the scale of the '
'migration.']},
'recommendations': ['Implement automated validation tools for security policy '
'migrations to reduce human error.',
'Establish mandatory second-layer reviews for all '
'critical security-related changes.',
'Conduct post-migration security audits to verify policy '
'enforcement.',
'Enhance monitoring for dark web activity related to '
'exposed data.',
'Provide additional training for employees handling '
'sensitive data migrations.'],
'references': [{'source': 'Singapore’s Personal Data Protection Commission '
'(PDPC) Announcement'},
{'date_accessed': '2023-11-00',
'source': 'GGRAsia - Marina Bay Sands Spokesperson '
'Statement'}],
'regulatory_compliance': {'fines_imposed': 'SGD315,000 (US$243,200)',
'regulations_violated': ['Singapore’s Personal Data '
'Protection Act '
'(Protection Obligation)'],
'regulatory_notifications': ['Notified by '
'Singapore’s Personal '
'Data Protection '
'Commission (PDPC)']},
'response': {'communication_strategy': ['Public disclosure in November 2023 '
'via spokesperson statement to '
'GGRAsia',
'Regulatory announcement by PDPC'],
'containment_measures': ['Reactivated security measures for the '
'affected webpage on the same day as '
'discovery (2023-10-20)'],
'incident_response_plan_activated': True,
'remediation_measures': ['Implemented immediate security fixes',
'Reviewed software migration '
'processes']},
'title': 'Marina Bay Sands Data Breach (2023)',
'type': ['data breach', 'unauthorized access', 'data exfiltration'],
'vulnerability_exploited': 'Lack of proper security policies post-migration '
'due to human error (single employee responsible '
'for manual compilation without second-layer '
'checks)'}