Marina Bay Sands (MBS) in Singapore was fined S$315,000 under the Personal Data Protection Act (PDPA) after a cybersecurity breach in October 2023 exposed the personal data of over 665,000 non-casino rewards programme members. The compromised data including names, telephone numbers, countries of residence, membership numbers, and rewards programme tiers was later found for sale on the dark web, increasing risks of phishing scams and identity theft.The breach occurred during a software migration, where MBS entrusted the process to a single employee without implementing second-layer security checks. This negligence allowed an unauthorised third party to access and exfiltrate the data illegally. Singapore’s Personal Data Protection Commission (PDPC) criticised MBS for failing to adopt adequate security measures, despite being a large enterprise with significant resources. The PDPC ruled that MBS ignored clear risks associated with the migration, violating the Protection Obligation under PDPA. The penalty was calculated under the 2021 Amendment Bill, which permits fines up to 10% of annual turnover for organisations with revenues exceeding S$10 million.
TPRM report: https://www.rankiteo.com/company/marina-bay-sands-pte-ltd
"id": "mar3632436103025",
"linkid": "marina-bay-sands-pte-ltd",
"type": "Breach",
"date": "6/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '665,000+ (Non-Casino Rewards '
'Programme Members)',
'industry': 'Hospitality & Gaming',
'location': 'Singapore',
'name': 'Marina Bay Sands',
'size': 'Large Enterprise',
'type': 'Resort/Casino Operator'}],
'attack_vector': 'Unauthorized Access (Exploiting Weak API Security During '
'Migration)',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '665,000+',
'personally_identifiable_information': True,
'sensitivity_of_data': 'Moderate to High (Identity Theft '
'Risk)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Membership Data']},
'date_detected': '2023-10',
'description': 'Marina Bay Sands in Singapore suffered a cybersecurity '
'incident involving unauthorized third-party access to the '
'data of over 665,000 non-casino rewards programme members. '
'The breach occurred during a software migration, where a '
'single employee manually compiled API configurations without '
'second-layer checks, leading to data exfiltration. The '
'accessed data, including names, phone numbers, and membership '
'details, was later found for sale on the dark web, posing '
'risks for phishing and identity theft.',
'impact': {'brand_reputation_impact': 'High (Data Sold on Dark Web, Risk of '
'Phishing/Identity Theft)',
'data_compromised': ['Name',
'Telephone Number',
'Country of Residence',
'Membership Number',
'Rewards Programme Tier'],
'identity_theft_risk': 'High',
'legal_liabilities': 'Fined S$315,000 under PDPA',
'systems_affected': ['Rewards Programme Database']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Weak API Security During Software '
'Migration',
'high_value_targets': ['Rewards Programme Member '
'Data']},
'investigation_status': 'Completed (PDPC Investigation Concluded)',
'lessons_learned': 'Large enterprises must implement robust security '
'processes, especially during critical operations like '
'software migrations. Relying on a single employee without '
'second-layer checks is negligent and exposes '
'organizations to significant risks.',
'motivation': 'Financial Gain (Data Sold on Dark Web)',
'post_incident_analysis': {'root_causes': ['Lack of second-layer security '
'checks in API configurations.',
'Over-reliance on a single '
'employee for critical migration '
'tasks.',
'Failure to assess risks '
'associated with large-scale data '
'migration.']},
'recommendations': ['Implement multi-layered security checks for API '
'configurations.',
'Conduct thorough risk assessments before major system '
'migrations.',
'Ensure adequate staffing and oversight for high-risk '
'operations.',
'Monitor dark web for exposed data proactively.',
'Enhance employee training on data protection '
'obligations.'],
'references': [{'source': 'Singapore Personal Data Protection Commission '
'(PDPC)'}],
'regulatory_compliance': {'fines_imposed': 'S$315,000',
'regulations_violated': ['Singapore Personal Data '
'Protection Act (PDPA)'],
'regulatory_notifications': 'Notified by Singapore '
'Personal Data '
'Protection Commission '
'(PDPC)'},
'threat_actor': 'Unknown',
'title': 'Marina Bay Sands Data Breach (October 2023)',
'type': 'Data Breach',
'vulnerability_exploited': 'Lack of Second-Layer Security Checks in API '
'Configurations'}