Singapore’s Personal Data Protection Commission (PDPC) has fined Marina Bay Sands (MBS) SG$315,000 ($243,096) for failing to protect the personal data of more than 665,000 patrons, in what the regulator called a ‘negligent contravention’ of the country’s data protection laws.
The decision follows an investigation into a 2023 cyber incident in which the personal information of 665,495 MBS patrons — including names and contact details — was illegally accessed and later found for sale on the dark web.
According to the PDPC, the breach occurred after MBS ‘failed to take reasonable security measures’ during a large-scale software migration in March 2023. The omission of a critical identifier linked to the ArtScience Friends webpage ‘allowed malicious threat actor(s) to access and exfiltrate’ customer data, the Commission said.
‘Despite the clear risks involved in such a migration exercise, MBS had relied on a single employee to manually compile a list of API configurations into the new software, and without implementing second-layer checks,’ the PDPC stated in its Grounds of Decision released Monday. ‘MBS failed to discover and correct the omission for six months, leaving its patrons’ personal data unprotected.’
The regulator described the case as a serious failure in governance and process, emphasizing that the company’s ‘failure to put in place proper processes for something as critical as security policy was a negligent contravention of the Protection Obligation.’
The PDPC noted that as a large enterprise with ‘significant turnover in Singapore,’ MBS had the resources and capability to safeguard customer data but did not implement adequate oversight.
The SG$315,000 ($243,096) fine was determined under Singapore’s revised financial penalty framework, introduced in the Personal Data Protection (Amendment) Bill 2021, which allows regulators to impose fines of up to 10 percent of a company’s annual turnover for large organizations.
‘The change was aimed at achieving more effective, deterrent enforcement, signalling the importance of data protection in the digital economy,’ the PDPC said.
While the Commission took into account the scale of the breach, it also acknowledged mitigating factors, including MBS’s voluntary admission of liability and immediate remediation efforts.
‘MBS implemented remedial measures on the same day, including reactivating security controls for the affected website,’ the PDPC said.
The Commission reiterated that all organizations operating in Singapore must comply with the Personal Data Protection Act (PDPA) and maintain robust safeguards against unauthorized access.
‘Protecting the personal data of consumers is key to building trust,’ the PDPC said. ‘PDPC will take appropriate action against organizations that are found to have breached their obligations under the PDPA.’
