Content Writer: Janice Chew • Saturday, 25/11/2025 - 20:52:39 - PM
In October 2023, the luxury integrated resort Marina Bay Sands Pte Ltd (MBS) experienced a significant data security incident involving its loyalty-rewards programme. On the evenings of 19 and 20 October, an unauthorized third-party gained access to the personal data of approximately 665,495 members of its “Sands LifeStyle” non-casino rewards programme.
According to the resort’s announcement and subsequent reporting, the compromised information included names, email addresses, mobile phone numbers, country of residence, membership numbers and tiers. Notably, MBS stated that membership data from its casino-rewards programme (Sands Rewards Club) was not affected. The resort engaged an external cybersecurity firm to investigate, and advised affected members to monitor for suspicious activity and change their login credentials.
The breach was linked to deficiencies during a large-scale software migration exercise earlier in 2023. Specifically, a failure to migrate or secure an API identifier enabled the unauthorized access. The Personal Data Protection Commission (PDPC) found that MBS had relied on a single employee to manually compile configuration data without a second‐layer verification, and that the omission remained undetected for approximately six months.
On 28 October 2025, the PDPC fined MBS S$315,000 (approximately US$243,000) for contravening its Protection Obligation under Singapore’s Personal Data Protection Act (PDPA). In determining the penalty, the regulator took into account the scale of the breach, the fact that over half a million patrons were affected, and the organization’s voluntary admission of liability as well as immediate remediation actions.
Although MBS reported that “to date” there was no evidence of misuse of the data, experts emphasise that the exposed information—names, emails, phone numbers—can be leveraged for phishing or other social-engineering attacks, and can be monetised on the dark web. For instance, one commentator noted that even when credit-card numbers are not compromised, the value of such personal data in the wrong hands is still significant.
This incident underscores the increasingly strict enforcement environment in Singapore for data-protection failures. Under updated rules since October 2022, organisations with annual turnover above S$10 million can face fines of up to 10 % of their annual turnover for serious breaches—a clear signal to large enterprises handling substantial volumes of personal data.