Copyright news18
Singapore, Oct 28 (PTI) The operator of the casino resort Marina Bay Sands in Singapore has been fined SGD 315,000 (USD 243,200) by the data privacy watchdog over a data breach two years ago that affected more than 665,000 customers. In October 2023, 665,495 Marina Bay Sands (MBS) patrons had their personal data “illegally accessed and exfiltrated by unknown threat actor(s)”, the Personal Data Protection Commission (PDPC) was quoted as saying by Channel News Asia on Tuesday. The leaked data was later found to be offered for sale on the dark web, according to PDPC. MBS, the most popular casino-based conference and international event venue in the city-state, said in November 2023 that the breach involved the data of its ‘LifeStyle’ rewards programme members, including names, email addresses, phone numbers, country of residence, as well as membership number and tier. Investigations determined that an unknown third party had accessed the data and that membership data from MBS’ casino rewards programme were believed to be unaffected, according to the report. The watchdog said on Tuesday that MBS had admitted to breaching the Protection Obligation under the Personal Data Protection Act (PDPA) when it failed to take reasonable security measures during a large-scale software migration exercise in March 2023. The exercise involved migrating old software to new software. This included all applications that are accessible via the Application Programming Interfaces (APIs) and their respective identifiers, which had to be migrated accordingly. According to an advisory published by the Cyber Security Agency of Singapore (CSA) in October 2022, an API facilitates service communications between two or more apps and performs a vital role as they provide flexibility by simplifying software design, administration and use. However, they are also the most commonly exposed component of a system and thus have to be secured against attacks. “It is necessary to ensure that security policies are applied when properly migrating from the old software to the new, including data access rights,” said PDPC. “In this case, one of the identifiers affecting the Art Science Friends webpage was omitted during the migration. This allowed malicious threat actor(s) to access and exfiltrate its patrons’ personal data,” the agency said. Such data leaks can be further exploited in phishing scams or identity theft, it added. Despite the “clear risks” involved in such a migration exercise, PDPC noted that MBS relied on a single employee to manually compile a list of API configurations into the new software and did not implement second-layer checks. As a result, MBS failed to discover and correct the omission for six months, leaving the personal data of its customers unprotected. “MBS’ failure to put in place proper processes for something as critical as security policy was a negligent contravention of the Protection Obligation,” said PDPC. PTI GS ZH ZH
