that Marina Bay Sands did not take adequate measures to protect customers' personal information when it conducted a large-scale software migration.Caused data leakage to over 660,000 customersThe company's products are sold on the dark web. Marina Bay Sands was fined $315,000 by the Personal Data Protection Commission for violating the Personal Data Protection Act.
This is the first incident involving the leakage of data from a comprehensive resort in the country. The fine is the second highest since the Personal Data Protection Act Amendment Ordinance came into effect in 2022.
The Personal Data Protection Commission (PDPC) reported Tuesday (Oct. 28) that in October 2023, the personal information of 665,495 Sands customers, including names and contact information, was illegally logged in and leaked by unknown threat actors. The information was later found to be sold on the Dark Web.
“This type of information, if leaked, can be further abused for phishing scams or identity theft.”
The PIC noted that Sands admitted to breaching its obligations by failing to take reasonable preservation measures to protect the personal data it held. The incident arose out of a large-scale software migration in March 2023 by Sands.
When working on such software projects, companies must ensure that all safeguards, including data access rights, are properly implemented. However, in the case in question, an identifier affecting the ArtScience Friends Web site was omitted, allowing the malicious threat to log in and disclose the personal information of Sands' customers.
The IAC said that despite being well aware of the risks of such software migrations, Sands relied on a single staff member to organize the configuration of the application program interfaces that needed to be incorporated into the new software and did not conduct a second level of checking. Sands did not discover the software migration omission until six months later. During this time, customer data was not given the protection it needed.
The PIC pointed out that Sands was negligent in not having proper procedures in place for an item as critical as a preservation policy. “As a large corporation in Singapore with significant turnover, Sands clearly has the resources to protect the personal information of its customers.”
In deciding on the fine, the CIRC took into account that Sands voluntarily admitted negligence and took remedial measures as soon as the problem was discovered, including restarting the web page's security settings on the same day.
The Privacy Commission emphasizes that all businesses must fulfill their obligations under the Personal Data Protection Act. Protecting consumers' personal data is key to building trust. The Privacy Commission takes appropriate action against offenders.
After the amendment bill to the Personal Data Protection Act comes into effect, in the event of a personal data breach involving at least 500 people, the organization involved, in addition to having to notify the government and the affected users, may be subject to a higher fine equivalent to up to 10% of its annual local turnover or $1 million, whichever is higher.
In response to questions about the details of the incident, including whether the staff involved were disciplined and the ruling on the IAC, Sands declined to comment when asked.
The incident stems from a large-scale software migration in March 2023 at Sands. (Photo by Chen Yuanzhuang)
News from Singapore Lianhe Zaobao
估計損失高達-19-億英鎊,為英國歷來之最.jpg)
