The Personal Data Protection Commission (PDPC) has imposed a S$315,000 fine on Marina Bay Sands (MBS) following a data breach that exposed the personal information of more than 665,000 patrons, according to a media release by the Personal Data Protection Commission Singapore.
The breach was uncovered in October 2023, revealing that names and contact details of customers were illegally accessed and subsequently offered for sale on the dark web.
Key Takeaways:
- MBS fined S$315,000 after a data breach exposed personal details of 665,000+ patrons
- Breach linked to software migration lapse and inadequate security measures
- PDPC warns of increased phishing and identity theft risks for affected individuals
The PDPC warned that the exposed information could increase the risk of phishing scams and identity theft for affected individuals.
Data Breach Tied to Software Migration Failures
The breach originated from a software migration process conducted in March 2023. During the exercise, MBS failed to implement adequate security measures, particularly by omitting an identifier related to the Art Science Friends webpage. This oversight left customer data exposed for approximately six months.
MBS assigned a single employee to manually compile a list of application programming interface (API) configurations without any secondary checks, a lapse described by the PDPC as negligent. The commission noted that as a large company with significant resources, MBS was expected to have more robust data protection protocols in place.
Record Penalty Under Amended Framework
According to The Straits Times, the S$315,000 penalty is the second-highest fine issued under Singapore’s revised financial framework, introduced with the Personal Data Protection (Amendment) Bill 2021.
The amendment allows fines of up to 10% of an organization’s annual turnover for companies with revenues exceeding S$10 million.
In determining the penalty, the PDPC took into account MBS’ voluntary admission of liability and prompt remediation measures, including reactivating security on the affected site on the day the breach was discovered.
The commission highlighted the importance of protecting consumer data to maintain public trust and reaffirmed its commitment to ongoing enforcement actions against breaches of the Personal Data Protection Act (PDPA).
This case follows earlier fines, such as the S$20,000 penalty against the Consumers Association of Singapore for similar data security failures, per Marketing-Interactive.
