Singapore's Marina Bay Sands Hotel was fined S$315,000 (about US$243,300) by the Personal Data Protection Commission (PDPC) for a major data breach in 2023. The incident resulted in the personal information of 665,000 customers being leaked on the dark web for over six months. The leaked data originated from the hotel's LifeStyle membership rewards program and included names, email addresses, phone numbers, nationalities, and membership details, although the casino rewards program was not affected. The PDPC found that the hotel had significant negligence during the data migration process and failed to implement adequate security measures, violating data protection obligations.
Incident Details and Penalty Decision
From March to October 2023, Marina Bay Sands Hotel failed to effectively protect data during a software migration, exposing the information of 665,495 customers. The PDPC investigation revealed that the hotel had only assigned one employee to handle API configuration and lacked a secondary review, allowing threat actors to illegally access and steal data in October. The PDPC noted that the hotel ignored obvious risks, completed a large-scale data migration without establishing proper security processes, and ultimately imposed a fine of S$315,000, emphasizing that as a large enterprise, it should have sufficient data protection capabilities.
Leaked Data Content and Risks
The leaked data came from the hotel's LifeStyle membership program, including customer names, email addresses, phone numbers, countries of residence, membership numbers, and levels, while casino-related data was untouched. The PDPC stated that this information could be used for cyber phishing, fraud, or identity theft, posing a continuous security threat to customers. Following the incident, the hotel committed to enhancing system security and advised users to monitor their accounts, regularly change passwords, and be vigilant of suspicious activities.
Corporate Response and Regulatory Background
Following the incident, Marina Bay Sands Hotel quickly initiated an investigation and hired an external cybersecurity firm to assist with the matter. The parent company, Las Vegas Sands Group, committed to further strengthening its data protection systems. Singapore revised its regulations in 2022, allowing for fines of up to 10% of annual turnover for businesses with annual turnovers exceeding S$10 million. Last year, Marina Bay Sands Hotel's net revenue reached S$5.43 billion, and the fine amount was based on a comprehensive assessment of the violation and response measures.
