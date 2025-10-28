Marina Bay Sands (MBS) has been fined $315,000 by Singapore's data privacy watchdog for a data breach that affected more than 600,000 of its patrons.

In a statement on Tuesday (Oct 28), the Personal Data Protection Commission (PDPC) said that 665,495 MBS patrons had their personal data illegally accessed and exfiltrated in October 2023.

The affected data, which included names and contact details identifying MBS' patrons, was later found offered for sale on the dark web.

"Such data leaks can be further exploited in phishing scams or identity theft," said the PDPC, adding that the penalty was determined in accordance with the revised Financial Penalty Framework.

According to the PDPC, MBS admitted to breaching the Protection Obligation when it failed to take reasonable security measures during a large-scale software migration exercise in March 2023.

"It is necessary to ensure that security policies are applied when properly migrating from the old software to the new, including data access rights," said the PDPC.

In this case, one of the identifiers affecting the ArtScience Friends webpage was omitted during the migration which allowed hackers to access and exfiltrate patrons' personal data, said the PDPC.

ArtScience Friends is a membership programme for the ArtScience Museum at MBS.

The PDPC highlighted that, despite the clear risks, MBS relied on a single employee to manually compile a list of Application Programming Interface configurations for the new software, without implementing secondary checks.

From Oct 1, 2022, Parliament raised the maximum financial penalty for large organisations with annual turnovers exceeding $10 million in Singapore, allowing fines of up to 10 per cent of their annual turnover.

The commission noted that the the change was introduced to strengthen deterrence and underscore the importance of data protection in the digital economy.

It added that all organisations must comply with the obligations set out under the Personal Data Protection Act and that appropriate action will be taken against those found in breach.

