SINGAPORE: The Personal Data Protection Commission (PDPC) has fined Marina Bay Sands (MBS) $315,000 after a data breach exposed the personal information of more than 665,000 customers.
The breach, which came to light in October 2023, saw names and contact details of roughly 665,500 customers stolen and later put up for sale on the dark web.
Investigators traced the problem back to a software migration exercise carried out in March that year when an identifier linked to MBS’ “Friends of the ArtScience” website was left out, creating a gap in the system that hackers eventually exploited.
The vulnerability went unnoticed for about six months before it was discovered and patched.
MBS admitted it had not taken adequate steps to protect customers’ data during the migration, in breach of its obligations under the Personal Data Protection Act (PDPA).
The PDPC’s report noted that despite the scale and complexity of the system overhaul, MBS had relied on a single employee to manually compile API configurations for the new platform. There was no second pair of eyes to check the work.
The $315,000 fine was decided under the tougher penalty framework introduced in 2021, which allows fines of up to 10 per cent of a company’s annual turnover for major breaches.
The commission said organisations that handle large amounts of personal data must tighten their defences, both technical and operational, especially during major IT upgrades or system migrations.
