Marina Bay Sands fined S5,000 for 2023 data breach

Marina Bay Sands fined S$315,000 for 2023 data breach

October 28, 2025 / Swedan Margen /


IMDA notes the failure to take reasonable security measures during a software migration exercise, among other faults

[SINGAPORE] The Personal Data Protection Commission (PDPC) has fined Marina Bay Sands (MBS) S$315,000 for a data breach, said the Infocomm Media Development Authority (IMDA) on Tuesday (Oct 28).

About 665,000 MBS patrons had their personal data illegally accessed and exfiltrated by one or more unknown threat actors in October 2023. The affected data, which included names and contact details that identified the patrons, was later found offered for sale on the dark web.

MBS “failed to take reasonable security measures” during a large-scale software migration exercise seven months before the breach, said IMDA.

The agency said in a statement: “MBS’ failure to put in place proper processes, for something as critical as security policy, was a negligent contravention of the Protection Obligation.

“As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons’ personal data.”

An identifier affecting the Art Science Friends webpage was omitted during the migration, which enabled one or more malicious threat actors to access and extract its patrons’ personal data.

BT in your inbox

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

IMDA said that the PDPC found that MBS had relied on a single employee to manually compile a list of application programming interface configurations into the new software. It also had not implemented a second layer of checks.

The integrated resort then failed to discover and correct the omission for six months, leaving its’ patrons personal data unprotected.

IMDA added that the S$315,000 penalty factored in the scale of the data breach, following a 2022 increase of the maximum financial penalty for large organisations with annual Singapore turnovers of more than S$10 million. The change paved the way for penalties of up to 10 per cent of their annual turnovers to be imposed.

SEE ALSO

Marina Bay Sands, which is owned by US casino giant Las Vegas Sands, said it became aware of the “data security incident” on Oct 20.
MBS is looking at both the leisure and business tourism segments to bring in high-value visitors.

IMDA said the PDPC also took into consideration MBS’ “voluntary admission of liability”, as well as its implementation of “immediate remediation measures”. These included the reactivation of security measures for the website on the same day.

In 2023, a few weeks after the breach, MBS chief operating officer Paul Town had said that there had been no evidence then that the unauthorised third party had misused the data to “cause harm” to the affected patrons.



Source link

Posted in

Swedan Margen

I focus on highlighting the latest in business and entrepreneurship. I enjoy bringing fresh perspectives to the table and sharing stories that inspire growth and innovation.

Leave a Comment