Data of 665,000 Marina Bay Sands patrons sold on dark web; Singapore fines resort RM1.1m
SINGAPORE, Oct 29 — Singapore’s Marina Bay Sands (MBS) has been fined S$315,000 (RM1.1 million) by the Personal Data Protection Commission (PDPC) after a data breach exposed the personal details of more than 665,000 patrons.
According to AsiaOne, the PDPC said in a statement that the October 2023 breach involved the unauthorised access and exfiltration of data, including names and contact details of MBS patrons.
The information was later found being offered for sale on the dark web.
The PDPC said such leaks could be exploited for phishing scams or identity theft, adding that the fine was determined under its revised Financial Penalty Framework.
Investigations found that MBS failed to take reasonable security measures during a large-scale software migration in March 2023.
“It is necessary to ensure that security policies are applied when properly migrating from old software to new, including data access rights,” the PDPC said.
In this instance, a flaw in the ArtScience Friends webpage — part of the ArtScience Museum’s membership programme — left a missing identifier that opened the door for hackers to retrieve patron data.
The commission also noted that MBS relied on a single employee to manually compile a list of Application Programming Interface configurations for the migration, without secondary verification, despite clear risks.
Under Singapore’s updated data protection law, large organisations with annual turnovers exceeding S$10 million can face fines of up to 10 per cent of their turnover for breaches.
The PDPC said the stronger penalties aim to reinforce deterrence and underline the importance of data protection in the digital economy.
