Marina Bay Sands experienceds data leak involving the personal information of some 665,000 members of its shoppers’ rewards program.

Marina Bay Sands experienceds data leak involving the personal information of some 665,000 members of its shoppers’ rewards program. (Image by Shutterstock)

Singapore’s Marina Bay Sands suffers data leak

  • Marina Bay Sands has experienced a data leak involving the personal information of 665,000 members of its shoppers’ rewards program. 
  • No unauthorized third party use of compromised data to cause harm to customers has yet been detected.
  • What now for all the compromised members and their data?

Singapore is known for having one of the strictest cybersecurity and data protection regimes in the regions. Organizations understand their duty to ensure that they do not compromise on cybersecurity, especially when it comes to data privacy. 

Companies that experience cybersecurity incidents are quick to inform their customers and regulators, with plans to resolve the situation executed quickly, too. Compromised organizations can also be heavily fined if investigations show that there were weaknesses in their cybersecurity which led to a data breach. 

So when Marina Bay Sands (MBS) experienced a data leak involving the personal information of some 665,000 members of its shoppers’ rewards program, the company was quick to react. 

In an email to members of its Sands LifeStyle program on November 7th, MBS stated that its rewards programs had been exposed to a data leak between October 19th and 20th. The resort also said that it was aware of the incident on October 20th and immediately launched investigations. 

On investigating the data leak, it was discovered that the personal data of members was accessed by an unknown third party. 

“On discovery of the incident, our teams immediately took action to resolve it. Investigations have since determined that an unknown third party accessed the customer data of about 665,000 non-casino rewards programme members,” said Paul Town, MBS chief operating officer in an email to members. 

The statement from MBS to members confirming the data leak.

The statement from MBS to members, confirming the data leak.

The statement also reassured members that no evidence has been discovered to date that indicates the unauthorized third party has misused the data to cause harm to customers.

“We do not believe that membership data from our casino rewards program, Sands Rewards Club, was affected. After learning of the issue, we quickly launched an investigation, have been working with a leading external cybersecurity firm, and have taken action to further strengthen our systems and protect data,” said Town. 

The personal data that was affected included members’ names, email addresses, contact details, country of residence, membership numbers and tiers. 

MBS recommended users closely monitor their accounts for suspicious activity, and change their log-in pin regularly. It also advised that users remain extra vigilant against phishing attempts, particularly against clicking on links that might direct them to malicious websites where password or other personal information could be requested.

MSB has since reported the data leak to the relevant authorities in Singapore and other countries where applicable and is working with them in their inquiries into the issue.

The data leak is still being investigated. (Image by Shutterstock)

The data leak is still being investigated. (Image by Shutterstock)

Increasing cybersecurity incidents in Singapore

Despite statistics showing a decline in cybersecurity incidents in Singapore in the earlier part of the year, the recent weeks have witnessed an increasing a number of such incidents. Statistics show that between the first quarter of 2020 and the first quarter of 2023, the number of records exposed in data breaches in Singapore fluctuated significantly. 

Data about the data leak remains sparse.

Ironically, data about the data leak remains sparse at present.

Apart from the data leak in MBS, the most recent known incident was the series of web service outages several public hospitals and polyclinics experienced due to a distributed denial-of-service (DDoS) attack. According to national healthcare IT provider Synapxe, the attackers flooded servers with internet traffic to prevent users from accessing online services. 

“Fortunately, the disruption did not result in a compromise of data or internal networks. Patient care, clinical services, and access to records and appointment systems were uncompromised. However, this incident highlights the critical need to secure healthcare networks. Healthcare records are attractive targets for cybercriminals given their potential for identity theft and fraud, along with their high value on the black market,” commented George Lee, senior vice president, Asia Pacific & Japan at Imperva.

Data leak similar to Las Vegas casino hack?

While some users may feel the data leak experienced by MBS could be linked to the recent ransomware attacks experienced by two casinos in Las Vegas, it is actually a rather different situation. 

In the ransomware incidents experienced by Caesars Palace and MGM in Las Vegas, the cybercriminals disrupted services and demanded a ransom payment from the organizations. However, MBS has not reported any ransom demands and claims that only the personal data of its members have been compromised. Despite this, the stolen data could be worth a fortune on the dark web, given the information it contains. 

For now, it remains to be seen what exactly caused the data leak in MBS and whether there was any other data that was compromised.