Marina Bay Sands fined S$315,000 for data breach affecting over 665,000 patrons
Marina Bay Sands has been fined S$315,000 by Singapore’s data privacy watchdog for a 2023 breach that exposed the personal information of more than 665,000 patrons. The PDPC cited negligence in security management during a software migration as the cause of the breach.
- Marina Bay Sands (MBS) fined S$315,000 by PDPC over a 2023 data breach affecting 665,495 patrons.
- Breach caused by omission during software migration, leaving data exposed for six months.
- PDPC cites negligence; MBS admits liability and has since implemented remediation measures.
SINGAPORE: The Personal Data Protection Commission (PDPC) has fined Marina Bay Sands (MBS) S$315,000 (US$243,300) for a major data breach that exposed the personal information of more than 665,000 customers in 2023.
According to a statement issued by PDPC on 28 October 2025, the incident stemmed from a failure to secure data during a large-scale software migration, allowing unknown threat actors to access and exfiltrate personal data later found for sale on the dark web.
The breach occurred in October 2023 and affected 665,495 members of the MBS LifeStyle rewards programme.
Compromised data included names, email addresses, phone numbers, countries of residence, membership numbers, and membership tiers.
Failure in software migration process
The PDPC stated that MBS breached the Protection Obligation under the Personal Data Protection Act (PDPA) when it failed to take reasonable security measures during a software migration exercise in March 2023.
The process involved moving data between old and new systems connected through Application Programming Interfaces (APIs).
One of the identifiers related to the Art Science Friends webpage was omitted during migration, creating a vulnerability that malicious actors later exploited.
The commission explained that APIs are essential for software communications but are also common attack vectors if not secured properly.
“It is necessary to ensure that security policies are applied when properly migrating from old software to new, including data access rights,” the PDPC said in its report.
Negligence and lack of oversight
The watchdog found that MBS relied on a single employee to manually compile API configurations without secondary verification, despite the significant risks involved.
The omission went undetected for six months, leaving customer data unprotected during that time.
“MBS’ failure to put in place proper processes for something as critical as security policy was a negligent contravention of the Protection Obligation,” PDPC said.
“As a large enterprise with significant turnover in Singapore, it is clear that MBS had the required resources to protect their patrons’ personal data.”
Scale of breach and fine considerations
Under amendments passed in October 2022, large organisations with annual turnovers in Singapore exceeding S$10 million can face fines of up to 10 per cent of their annual revenue for breaches of the PDPA.
MBS reported a net revenue of US$4.2 billion in 2024.
While the maximum potential penalty was far higher, PDPC noted that the fine of S$315,000 reflected both the scale of the breach and MBS’ prompt remedial actions.
The company voluntarily admitted liability and took immediate steps to rectify the issue, including reinstating website security measures on the same day the breach was discovered.
Impact and broader implications
PDPC warned that personal data leaks of this nature can be exploited for phishing scams and identity theft, highlighting the continuing need for businesses to prioritise cybersecurity during system changes.
“All organisations must adhere to PDPA obligations, and protecting the personal data of consumers is key to building trust,” PDPC stated.
“PDPC will take appropriate action against organisations that are found to have breached their obligations under PDPA.”
