The operator of the casino resort Marina Bay Sands in Singapore has been fined SGD315,000 (US$243,200) in relation to a data breach that took place in 2023 and involved the personal data of more than 665,000 clients.
Singapore’s Personal Data Protection Commission (PDPC) said in an announcement on Tuesday that it had “imposed a financial penalty of SGD315,000 on integrated resort operator Marina Bay Sands Pte Ltd for breaching the protection obligation” under the city-state’s Personal Data Protection Act.
The fine related to an incident that occurred in March 2023 during a large-scale software migration exercise but was only discovered in October that year.
Marina Bay Sands Pte Ltd is a subsidiary of U.S.-based Las Vegas Sands Corp, which also operates casinos in Macau through Sands China Ltd.
According to Singapore’s personal data watchdog, 665,495 Marina Bay Sands patrons “had their personal data illegally accessed and exfiltrated” as a result of the 2023 incident.
The affected data – “which included names and contact details” identifying Marina Bay Sands patrons – “was later found offered for sale on the dark web,” the commission said.
The regulator stated in its release that the operator of Marina Bay Sands had “admitted to breaching the protection obligation by failing to take reasonable security measures to protect the personal data in its possession.”
The PDPC explained that when the casino operator was migrating from old software to new software in March 2023, a technical identifier omission involving a particular webpage meant it “no longer had proper security policies in place”.
“This allowed malicious threat actor(s) to access and exfiltrate its patrons’ personal data,” it added.
The PDPC said that “despite the clear risks involved in such a massive” software migration exercise, the operator of Marina Bay Sands “made a single employee responsible for manually compiling” important security-related technical information, “without due second-layer checks”.
It added that Marina Bay Sands Pte Ltd “failed to discover and correct the omission for six months, leaving its patrons’ personal data unprotected”.
A Marina Bay Sands spokesperson told GGRAsia in November 2023 that the firm became aware of the data security incident on October 20 that year, following unauthorised access on October 19 and 20 to some of its customers’ loyalty programme membership data.
The PDPC said in its Tuesday release that the firm’s “failure to put in place proper processes to ensure the due implementation of its security policies post-migration was a negligent contravention of the protection obligation.”
It added: “As a large enterprise with significant turnover in Singapore, it is clear that Marina Bay Sands Pte Ltd had the required resources to protect [its] patrons’ personal data.”
The regulator said the fine took into account “the scale of the data breach, which exposed the personal data of more than half a million patrons without their consent”. It added that it had also considered the firm’s “voluntary admission of liability and its implementation of immediate remediation measures, including reactivating security measures for the website on the same day.”
