The Personal Data Protection Commission (PDPC) has imposed a financial penalty of $315,000 on Marina Bay Sands Pte Ltd (MBS) for breaching the Protection Obligation under the Personal Data Protection Act (PDPA). The penalty was determined in accordance with the revised Financial Penalty framework introduced in the Personal Data Protection (Amendment) Bill 2021. 

In October 2023, 665,495 MBS patrons had their personal data illegally accessed and exfiltrated by unknown threat actor(s). The affected data, which included names and contact details that identified MBS’ patrons, was later found offered for sale on the dark web. Such data leaks can be further exploited in phishing scams or identity theft.

MBS admitted to breaching the Protection Obligation when it failed to take reasonable security measures to protect the personal data in its possession. This occurred during a large-scale software migration exercise in March 2023. It is necessary to ensure that security policies are applied when properly migrating from the old software to the new, including data access rights. This means that all applications that are accessible via the Application Programming Interfaces (APIs) and respective identifiers must be duly migrated. In this case, one of the identifiers affecting the Art Science Friends webpage was omitted during the migration. This allowed malicious threat actor(s) to access and exfiltrate its patrons’ personal data.

Despite the clear risks involved in such a migration exercise, PDPC found that MBS had relied on a single employee to manually compile a list of API configurations into the new software, and without implementing second layer checks. MBS failed to discover and correct the omission for six months, leaving its’ patrons personal data unprotected. MBS’ failure to put in place proper processes, for something as critical as security policy was a negligent contravention of the Protection Obligation.  As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons’ personal data.

From 1 October 2022, Parliament raised the maximum financial penalty for large organisations with annual turnovers in Singapore of more than S$10 million, allowing penalties of up to 10% of their annual turnovers. This change was aimed at achieving more effective, deterrent enforcement, signalling the importance of data protection in the digital economy. Under the revised financial penalty framework, the penalty accounted for the scale of the data breach which exposed the personal data of more than half a million patrons without their consent. PDPC also took into consideration MBS’ voluntary admission of liability, and its implementation of immediate remediation measures including reactivating security measures for the website on the same day.

All organisations must adhere to the PDPA obligations, and protecting the personal data of consumers is key to building trust. PDPC will take appropriate action against organisations that are found to have breached their obligations under PDPA. Details of the case are listed in the Grounds of Decision.